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ABSTRACT 


An  increasing  national  priority  on  quality  in  product  design  and  manufacturing 
requires  new  understanding  to  achieve  signiflcant  advancement.  Fault-tolerant  control,  a 
discipline  capable  of  high-level  decision  making  and  task  execution,  is  a  necessary 
component  for  ensuring  system  reliability  in  the  hierarchy  of  intelligent  control  systems.  In 
contrast  with  current  research,  redundant  control  structures  provide  real-time  fault  tolerance 
and  error  accountability  for  systems  in  an  untended  manufacturing  environment  without  the 
use  of  a  process  model.  Fault  detection  and  isolation  (FDI)  is  optimized  with  respect  to  a 
risk  or  cost  function  equivalent  to  the  probability  of  decision  error  and  is  generalized  to 
account  for  both  positive  and  negative  faults  within  any  controller.  The  resultant  test 
compares  a  significant  statistic  to  a  derived  threshold  which  is  adjusted  over  the  mission  to 
reflect  any  change  in  the  reliability  of  the  control  structure.  The  performance  of  the  FDI 
scheme  is  found  to  be  proportional  to  the  failure  signal-to-noise  ratio.  The  effect  of 
multiple  faults  on  the  probability  of  decision  error  is  found  to  be  negligible,  assuming  an 
uniform  fault  distribution.  Analysis  of  these  redundant  structures  and  their  associated  FDI 
and  reconfiguration  schemes  emphasizes  a  probabilistic  set  of  system  states  which 
represents  all  a  priori  uncertainty  inherent  within  the  control  system.  Information  theory 
defines  entropy  as  a  logarithmic  measure  of  system/decision  uncertainty.  This  allows  for  a 
comparison  of  the  effective  system  performance  of  redundant  structures.  The  optimal 
redundant  structure  for  fault-tolerance  is  reached  by  utilizing  a  highly  reliable  control 
structure  at  the  greatest  level  of  redundancy  while  maintaining  near-perfect  FDI  at  all  levels 
of  operation.  This  allows  maximizing  the  information  rate  of  the  discrete  FDI  decision 
scheme  while  minimizing  the  error  variance  of  the  controlled  parameter.  Further,  the 
average  mission  or  period  of  working  operation  is  increased  due  to  successive  stages  of 
reduced  operation. 
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Chapter  1 :  The  Problem,  Method  of  Approach,  and  Results 


1.1.  The  Challenge  for  Quality 

An  increasing  national  priority  on  quality  in  product  design  and  manufacturing 
requires  new  understanding  to  achieve  significant  advancement.  As  real-time,  computer- 
based  measurement  and  actuation  systems  have  increased  in  complexity,  human  capabilities 
to  conceptualize  such  systems  with  mathematical  models  have  been  challenged.  The  IEEE 
Control  Systems  Society  and  the  National  Science  Foundation  (NSF)  invited  fifty-two 
eminent  contributors  in  the  field  of  control  to  a  workshop  at  the  University  of  Santa  Clara 
in  September,  1986.  Their  perspectives  on  important  research  areas,  documented  in 
"Challenges  to  Control:  A  Collective  View"  by  editor  A.  H.  Levis,  included: 

Due  to  the  often  unrealistic  assumptions  that  the  mathematical  model  of  the 
system  be  completely  known  and  that  the  model  have  the  form  of  linear 
differential  (or  difference)  equations  .  .  .  control  theorists  are  now 
challenged  to  expand  their  horizons  and  to  extend  their  concepts  and 
methods  to  be  applicable  to  incompletely  modeled  systems . . .  [Levis] 

Indeed,  current  engineering  strategies  show  widespread  traditional  use  of  empirically 
designed  manufacturing  elements,  described  in  terms  of  qualitative  domain  knowledge  as 
opposed  to  quantitative  modelling  efforts.  [Bobrow]  Processes  which  necessitate  these 
highly  complex  representations  can  benefit  from  equally  complex  self-organizing  (i.e. 
intelligent)  control  structures  to  accommodate  incomplete  a  priori  knowledge  and  reducible 
uncertainties.  This  "complex  process  -  complex  controller"  paradigm  constitutes  the  most 
advanced  automatic  control  presently  realizable,  and  provides  the  basis  for  a  productive 
research  effort  to  achieve  new  levels  of  performance,  and  hence  quality,  in  manufacturing 
enterprises.  [Saridis] 
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Fault-tolerant  control,  a  discipline  capable  of  high-level  decision  making  and  task 
execution,  is  a  necessary  component  for  ensuring  system  reliability  in  the  hierarchy  of 
intelligent  control  systems.  [Saridis]  Coverage  is  the  property  of  a  system  which  defines 
its  ability  to  tolerate  failures  of  a  specified  subset  or  percentage  of  its  components  (i.e.  the 
degree  of  its  fault  tolerance).  Fault-tolerant  applications  that  require  the  most  efficient 
coverage  of  any  failures  at  all  times,  within  given  limitations  on  hardware  and  knowledge, 
dictate  the  use  of  fault  detection  and  isolation  (FDI)  schemes  to  properly  reconfigure  the 
system  for  continued  operation  with  a  minimal  loss  in  performance.  Levis  writes: 

A  more  general  class  of  control  systems  which  adapt  to  significant  changes  in  their 
environment  is  ...  fault-tolerant  control  systems.  In  this  class  of  problems  we 
admit  that  one  or  more  key  components  of  the  physical  feedback  system  will  fail 
and  that  this  failure  can  have  significant  impact  on  stability  or  performance.  The 
idea  is  to  design  the  control  system  so  as  to  retain  stability  and  lose  performance  in 
a  gracefully  degraded  manner.  It  may  be  necessary  to  reconfigure  the  control 
system  following  the  detection  of  such  failures.  For  example,  a  real-time  decision 
will  have  to  be  made  on  whether  we  should  ...  accept  some  performance 
degradation  or  ...  concentrate  on  maintaining  stability  and  perhaps  -  after  the 
transients  have  died  out  -  reconfigure  again  to  achieve  optimal  performance.  A 
challenging  problem  for  control  theory  is  to  take  into  account  advances  in  computer 
technology  and  to  stimulate  the  development  of  real-time  and  concurrent  systems 
which  allow  the  implementation  of  such  control  strategies  in  hardware  form. 
[Levis] 

This  challenge  is  taken  up  in  the  following  thesis  on  the  implementation  and  analysis  of 
fault-tolerant  control  with  redundant  control  structures. 


In  contrast  with  current  fault-tolerant  control  schemes,  the  dual-difference 
redundant  stracture  (DDRS)  and  triple  redundant  structure  (TRS)  provide  real-time  fault 
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environment  without  the  use  of  a  process  model.  A  major  concern  during  the  control  of 
any  system  or  process  is  the  level  of  confidence  associated  with  the  controlled  parameters. 
In  a  paper  on  the  fundamental  issues  and  architecture  for  autonomous  control  systems, 
Antsaklis  also  determined  the  necessity  of  fault-tolerant  control  in  an  environment  of 
significant  uncertainty: 

There  must  be  certain  features  inherent  in  the  autonomous  system  design.  In 
addition  to  supervising  and  tuning  the  control  algorithm,  the  autonomous  controller 
must  also  provide  a  high  degree  of  tolerance  to  failures.  Design  features  should 
prevent  failures  that  would  jeopardize  the  overall ...  mission  goals  or  safety.  This 
implies  that  the  controller  should  have  self-test  capability  ... ,  tolerance  of  transient 
errors,  adjustable  fault  detection  thresholds,  reversible  state  changes,  and  protection 
from  invalid  external  commands.  To  achieve  this,  high  level  decision  making 
techniques  for  reasoning  under  uncertainty  and  taking  actions  must  be  utilized. 
[Antsaklis] 

The  fault-tolerant  control  structures  presented  in  this  thesis  are  designed  to  take  advantage 
of  the  benefits  of  redundancy  while  incoiporating  these  and  other  design  features.  These 
redundant  structures  represent  the  base  level  in  a  possible  hierarchy  of  system  fault 
detection  and  diagnostic  schemes.  [Saridis,  Antsaklis]  Upon  validation  of  the  control 
structure  by  FDI  algorithms,  confidence  can  be  placed  in  the  controlled  parameter  within 
the  derived  accuracy.  This  allows  a  solid  base  upon  which  to  build  further  reasoning  about 
the  process  or  system.  With  the  empirical  knowledge  provided,  the  host  system  can 
monitor  the  process,  infer  its  current  state  via  process  models,  and  reason  about  future 
control  needs.  This  concept  highlights  the  distinction  from  current  fault-tolerant  schemes 
which  utilize  an  explicit  process  model  as  the  very  foundation  of  the  control  hierarchy  and 
have  been  found  to  be  highly  sensitive  to  uncertainty  or  error  within  the  process  model. 
[Emami-Naeini,  Horak] 
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The  FDI  algorithms  designed  for  the  redundant  control  structures  are  based  upon  a 
mapping  from  the  observable  or  measurable  space  of  the  control  system  to  a 
hypothesis/decision  space  and  therefore  implies  a  decision-making  process.  Levis  refers  to 
this  form  of  hypothesis  testing  as  a  "hybrid  model  approach"  incorporating  both  higher 
discrete  levels  of  information  and  the  continuous  data  received  at  the  process  level. 

Multiple  model  hypothesis  testing  is  a  very  important  process  in  symbolic 
reasoning.  In  such  problems  we  have  a  discrete  set  of  alternative  interpretations  of 
data,  we  have  models  for  each,  and  we  have  optimal  processors  for  each  that  allow 
us  to  produce  statistics  that  form  the  basis  for  efficient  and  rational  assessment  of 
which  alternative  is  most  likely  to  be  correct.  ...  This  hybrid  model  approach 
provides  a  framework  in  which  it  is  possible  to  think  about  fusing  all  types  of 
knowledge  and  information.  It  also  very  naturally  reduces  data  and  knowledge  to 
statistics  as  the  basis  for  higher-level  reasoning  and  is  well  set  up  for  parallel 
processing.  ...  the  modelling  of  (this)  uncertainty  is  to  be  "structured"  so  as  to 
exploit  all  relevant  a  priori  information  about  the  plant  to  be  controlled,  including 
not  only  numerical,  but  also  qualitative  and  linguistic  descriptions.  [Levis] 

Analysis  of  these  redundant  structures  and  their  associated  FDI  and  reconfiguration 
schemes  emphasizes  a  probabilistic  set  of  system  states  which  represents  all  a  priori 
uncertainty  inherent  within  the  control  system.  This  status  information,  presented  to  the 
host  system,  provides  a  confidence  metric  with  each  controlled  parameter  and  thus 
facilitates  qualitative  reasoning  about  the  process  for  goal-oriented  control  purposes 
[Garrett,  Matejka,  Fox].  For  example,  in  a  qualitative  control  system  which  can  select 
among  alternative  control  actions  during  a  specific  process  instance  to  achieve  process 
goals,  the  availability  of  this  controller  status  information  can  meaningfully  influence  this 
choice  by  quantifying  the  confidence  associated  with  each  measured  variable.  Hence,  the 
hierarchy  of  intelligent  controllers  combines  local,  low-level  observation  and  broader, 
higher-level  reasoning  and  planning  in  order  to  ensure  continuous  and  efficient  system 
performance  and  knowledge. 
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Entropy  provides  the  structure  which  Levis  sought  in  a  model  of  uncertainty  ...  a 
structure  in  which  different  knowledge  sources  can  be  represented,  combined,  and 
compared.  The  concept  of  entropy  has  a  rich  history  that  defies  disciplinary  boundaries  in 
its  application.  Information  theory  defines  entropy  as  a  logarithmic  measure  of  the 
randomness  or  'choice'  involved  in  an  event  or  the  prior  uncertainty  of  the  outcome  of  an 
experiment.  Shannon's  celebrated  paper  on  the  "Mathematical  Theory  of  Communication" 
in  the  Bell  System  Technical  Journal,  1948,  is  generally  considered  to  be  the  first  detailed 
exposition  on  information  theory.  [Shannon]  Saridis  and  Valavanis  use  entropy  as  an 
unified  quantification  of  disorder  in  each  of  three  levels  (i.e.  execution,  coordination,  and 
management)  of  a  heirarchical  system  based  on  the  principle  of  "increasing  intelligence  with 
decreasing  precision".  In  an  intelligent  controller,  the  control  action  that  will  decrease  the 
entropy  of  the  system  is  initiated.  [Valavanis]  Stephanou  found  that  entropy  provides  a 
quantitative  criterion  for  measuring  the  effectiveness  of  a  consensus  obtained  from  the 
pooling  of  evidence  from  independent  knowledge  sources.  This  focusing  of  knowledge 
allows  a  subsequent  reduction  in  an  experiment's  uncertainty  or  entropy.  [Stephanou]  In 
this  thesis,  this  metric  of  uncertainty  allows  for  comparisons  of  the  effective  system 
performance  for  different  redundant  structures.  For  example,  system  entropy  is  found  to 
decrease  with  each  level  of  redundancy  when  a  near-optimal  FDI  scheme  is  employed.  In 
addition,  the  benefits  of  active  redundancy  over  passive  techniques  such  as  majority-voting 
is  clearly  observed.  This  widespread  application  of  entropy  attests  to  its  fundamental 
nature  and  allows  for  linkage  into  a  more  comprehensive  system  representation  of 
uncertainty  by  incorporation  of  other  system  entropies. 
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1.2.  Method  of  Approach 


In  Chapter  2,  an  analysis  of  the  typical  control  structure  by  Garrett  describes  each 
functional  component  of  the  system  and  provides  a  tabular  form  for  itemizing,  quantizing, 
and  minimizing  worst-case  errors  of  an  average,  random,  or  systematic  nature.  [Garrett] 
This  error  budget  presents  all  error  sources  and  their  bounds  in  a  standard  format  to  allow 
comparison  and  combination  of  all  system  errors.  The  result  is  a  stationary,  Gaussian  error 
function  of  minimal  mean  and  variance  conditioned  on  the  reliable  performance  of  the 
control  structure.  This  probability  density  function  defines  the  uncertainty  of  the  control 
structure  at  any  given  point  in  time  of  its  operation.  However,  we  are  also  uncertain  as  to 
whether  the  control  structure  is  operating  properly  at  this  stage  in  its  lifetime  or  mission. 
The  following  chapter  reviews  reliability  theory  and  proposes  a  failure  rate  budget  (the 
conceptual  equivalent  to  the  error  budget)  to  account  for  all  sources  of  failure  within  the 
control  structure.  Reliability  is  represented  by  a  maximized  exponential  density  function  of 
time.  These  models  provide  a  complete  concept  of  all  a  priori  knowledge  of  the  control 
structure.  It  is  found  in  Chapter  5  that  these  functions  conform  to  Jaynes'  method  of 
maximum  entropy  where  a  chosen  model  remains  minimally  prejudiced  with  respect  to  any 
missing  information.  Thus,  our  error  and  reliability  models  exhibit  a  dualism  in  their 
origination  and  application.  Further,  these  models  can  be  optimized  with  respect  to  each 
application  based  on  the  give-and-take  between  the  costs  of  various  sources  included  in  the 
error  and  failure  rate  budgets. 

In  Chapter  3,  we  also  find  that  redundancy  allows  further  improvement  of  the 
control  structure's  error  and  reliability.  For  example,  the  deviation  in  the  error  function  of 
the  control  signal  is  reduced  through  the  averaging  of  the  redundant  outputs,  owing  to  the 
essentially  uncorrelated  error  contributions  of  each  structure's  elements.  This  reduction  in 
error  variance  is  shown  to  be  optimal  with  respect  to  redundant  hardware  for  two 
structures.  Analysis  of  redundant  structures  shows  additional  benefits  in  improved 
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reliability  occurring  with  each  level  of  redundancy.  Each  additional  structure  in  a  redundant 
configuration  provides  an  order  of  magnitude  improvement  in  the  reliability  of  the 
configuration  during  short  term  missions  or  earlier  periods  of  extended  operation. 
However,  these  benefits  are  only  possible  under  the  unlikely  assumption  of  perfect  fault 
coverage  and,  without  such  ideal  conditions,  are  achieved  at  the  cost  of  increased  entropy 
or  uncertainty  with  each  level  of  redundancy  (Chapter  5).  An  attempt  to  recoup  these 
losses  via  fault  detection  and  isolation  techniques  is  presented  in  Chapter  4. 

In  Chapter  4,  the  dual-difference  redundant  structure  (DDRS)  and  triple  redundant 
stmcture  (TRS)  are  designed  to  provide  fault- tolerant  control  (i.e.  fault  detection,  isolation, 
and  reconfiguration)  to  the  extent  of  their  capabilities.  Active  redundancy  achieves  greater 
fault  coverage  than  the  masking  techniques  of  passive  redundancy  (e.g.  TMR  or  NMR)  in 
that  fault  occurrences  are  detected  and  not  merely  screened.  The  dual-difference  redundant 
stmcture  provides  quick  and  efficient  front-end  fault  detection  with  a  simple  difference  test, 
yet  fault  isolation  is  only  possible  to  the  extent  which  the  simplex  fault  detection  schemes 
provide  fault  coverage.  The  triple  redundant  stmcture,  however,  provides  both  efficient 
fault  detection  and  isolation  with  a  more  complex  FDI  scheme.  Additionally,  limit  and  rate 
checking  will  detect  extreme  bias  and  noise  conditions  which  comprise  the  majority  of 
spontaneous  or  transient  faults.  Reconfiguration  consists  of  a  graceful  and  recoverable 
reorganization  of  the  system  to  a  stmcture  of  lesser  redundancy  and  reduced  performance. 
Hence,  each  redundant  control  stmcture  is  a  subset  of  all  stmctures  of  greater  redundancy. 
For  example,  the  TRS  is  reconfigured  to  the  DDRS  upon  fault  detection  with  the  two 
remaining  valid  controllers.  In  this  manner,  fault-tolerant  control  is  achieved.  However, 
any  problems  occurring  within  the  process  or  to  the  signal  outside  of  the  control  stmcture 
can  not  be  considered  a  fault.  Deviations  of  the  measured  parameter  from  expected  values 
due  to  these  problems  will  be  transparent  to  the  FDI  scheme  and  must  be  detected  by  the 
host  computer  at  system  level. 
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The  fault  detection  and  isolation  (FDI)  scheme  assumes  a  classical,  M-ary 
hypothesis  test  with  a  fixed,  singular  data  sample.  Thus,  there  are  M  possible  alternatives 
or  event-hypothesis  pairings  each  time  a  decision  must  be  made.  With  any  decision¬ 
making  process  comes  the  possibility  of  decision  errors;  in  this  case,  there  is  an  inherent 
give-and-take  between  the  two  decision  errors  of  false  alarms  and  missed  detections.  With 
any  FDI  scheme,  it  is  found  that  the  probability  of  these  decision  errors  is  inversely 
proportional  to  the  failure  signal-to-noise  ratio  (SNR).  This  analysis  is  concerned  with  the 
worst-case  magnitude  of  f  (fmin)  which  is  the  smallest  fault  (and,  thus,  the  hardest  to 
detect)  of  accountable  cost  for  the  ciurent  application.  It  is  further  generalized  to  account 
for  both  positive  and  negative  faults  within  any  controller.  A  second  concern  of  decision 
error  is  the  possible  missed  detection  of  certain  multiple  faults  which  are  hidden  from  the 
FDI  scheme.  For  example,  the  difference  test  is  insensitive  to  a  dual  fault  where  a  fault  of 
approximately  equal  amplitude  occurs  on  both  controllers.  This  analysis  assumed  a 
uniform  fault  distribution  across  the  space  of  all  possible  faults  and  found  the  effect  of 
multiple  faults  on  the  probability  of  decision  error  to  be  negligible.  The  resultant  set  of 
system  states  and  their  associated  probabilities  is  determined  from  a  decision  tree  for  each 
redundant  structure  based  on  its  FDI  and  reconfiguration  schemes. 

Several  fault  detection  and  isolation  schemes  are  examined  for  each  redundant 
structure.  The  FDI  scheme  can  be  optimized  by  using  a  generalized  likelihood  ratio  test 
(GLRT)  which  is  based  on  a  degenerated  Bayes  criterion.  This  analysis  utilizes  the  special 
cost  assignment  where  correct  decisions  incur  no  penalty  and  incorrect  decisions  incur  the 
same  penalty.  With  this  cost  assignment,  risk  is  equivalent  to  the  probability  of  decision 
error.  The  likelihood  ratio  is  determined  directly  from  the  ratio  of  the  marginal  or 
conditional  densities  of  the  parameter  or  parity  vector  under  either  event  Another  possible 
FDI  scheme  is  based  upon  the  classical  Neyman-Pearson  criterion  of  radar  detection 
theory.  Here,  the  conditional  probability  of  false  alarms  PpA  is  constrained  to  remain  less 
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than  some  arbitrarily  small  value  a,  known  as  the  level  or  significance  level  of  the  test,  and 
then  the  conditional  probability  of  fault  detection  Pd  is  maximized  to  some  value  (1-P), 
known  as  the  power  of  the  test.  The  resultant  test  for  either  FDI  scheme  compares  a 
significant  statistic  (e.g.  the  radius  or  absolute  difference)  to  a  derived  threshold  and  is  thus 
generalized  in  order  to  account  for  a  fault  in  any  controller.  This  threshold  is  held  constant 
by  the  Neyman-Pearson  criterion  and  is  completely  defined  upon  choosing  the  level  of  the 
test  (a).  For  the  Bayes  criterion,  the  threshold  is  varied  according  to  the  prior  event 
probabilities  of  the  control  structure  in  order  to  minimize  the  probability  of  decision  error. 
For  example,  the  threshold  is  originally  made  quite  large  compared  to  the  fault  magnitude 
while  the  probability  of  normal  operation  is  high  and  is  subsequently  pulled  closer  to  the 
origin  as  the  probability  of  a  structure  fault  becomes  predominant. 

In  Chapter  5,  we  analyze  all  relevant  a  priori  uncertainty  or  entropy  within  the 
control  system.  The  minimized  Gaussian  error  function  and  the  maximized  exponential 
reliability  function  provide  a  complete  concept  of  all  a  priori  knowledge  of  the  control 
structure.  The  marginal  or  conditional  probabilities  of  the  FDI  schemes  describe  the 
performance  statistics  associated  with  the  redundant  structure.  The  resultant  set  of  system 
states  and  their  associated  probabilities,  as  illustrated  by  the  decision  tree,  represents  all  a 
priori  uncertainty  in  the  control  system.  Information  theory  defines  entropy  as  a 
logarithmic  measure  of  the  randomness  or  'choice'  involved  in  an  event  or  the  prior 
uncertainty  of  the  outcome  of  an  experiment.  This  metric  of  uncertainty  allows  for 
comparisons  of  the  effective  system  performance  for  different  redundant  structures. 
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1.3. 


Results  and  Conclusions 


1 .  This  thesis  concerns  the  implementation  and  analysis  of  redundant  structures  in 
fault-tolerant  control.  Complex,  intelligent  control  structures  are  sought  which: 
provide  robust,  optimized  fault  tolerance;  can  be  implemented  efficiently  upon  any 
process;  and  do  not  require  a  process  or  signal  model.  These  structures  can  be 
utilized  in  a  broad  range  of  applications  and  define  a  unifying  base  for  the 
hierarchical  architecture  of  autonomous  control. 

2.  In  contrast  with  current  fault- tolerant  control  schemes,  the  dual-difference 
redundant  structure  (DDRS)  and  triple  redundant  structure  (TRS)  provide  real-time 
fault  tolerance  and  error  accountability  for  sensor  systems  in  an  untended 
manufacturing  environment  without  the  use  of  a  process  model.  The  DDRS 
provides  quick  and  efficient  front-end  fault  detection  with  a  simple  difference  test, 
yet  fault  isolation  is  only  possible  to  the  extent  which  the  simplex  fault  detection 
schemes  provide  fault  coverage.  The  TRS,  however,  provides  both  efficient  fault 
detection  and  isolation  with  a  more  complex  FDI  scheme.  Reconfiguration  consists 
of  a  graceful  and  recoverable  reorganization  of  the  system  to  a  structure  of  lesser 
redundancy  and  reduced  performance.  In  this  manner,  fault-tolerant  control  is 
achieved. 

3.  Full  redundancy  of  the  control  structure  is  not  always  feasible.  The  additional 
hardware  requires  more  expense  and  working  volume  than  can  sometimes  be 
afforded.  In  fact,  space  limitations  and  expense  are  two  major  reasons  why 
redundant  structure  configurations  are  avoided  and  research  has  shifted  to  analytical 
redundancy. 
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4.  Fault  detection  and  isolation  (FDI)  is  optimized  with  respect  to  a  risk  or  cost 
function  equivalent  to  the  probability  of  decision  error.  The  FDI  scheme  is 
generalized  to  account  for  both  positive  and  negative  faults  within  any  controller. 
The  resultant  test  compares  a  significant  statistic  to  a  derived  threshold  which  is 
adjusted  over  the  mission  to  reflect  any  change  in  the  reliability  of  the  control 
structure. 

5 .  The  performance  of  the  FDI  scheme  is  found  to  be  proportional  to  the  failure  signal- 
to-noise  ratio.  The  effect  of  multiple  faults  on  the  probability  of  decision  error  is 
negligible,  assuming  an  uniform  fault  distribution. 

6.  Limit  and  rate  checking  will  detect  extreme  bias  and  noise  conditions  which 
comprise  the  majority  of  spontaneous  or  transient  faults.  Reconfiguration  consists 
of  removing  the  faulty  controller  from  the  output  estimation  scheme  yet  still 
including  it  as  a  voter  in  the  FDI  scheme.  The  faulty  controller  is  simply  returned  to 
valid  status  upon  a  successful  test.  This  reconfiguration  scheme  allows  recovery 
from  false  alarms  and  transient  faults  and  maintains  the  independence  between 
successive  tests  over  the  mission. 

7 .  The  minimized  Gaussian  error  function  and  the  maximized  exponential  reliability 
function  provide  a  complete  concept  of  all  a  priori  knowledge  of  the  control 
structure.  The  marginal  or  conditional  probabilities  of  the  FDI  schemes  describe  the 
performance  statistics  associated  with  the  redundant  structure.  The  resultant  set  of 
system  states  and  their  associated  probabilities,  as  illustrated  by  decision  tree, 
represents  all  a  priori  knowledge  of  the  redundant  structure. 
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8.  Entropy  provides  a  logarithmic  measure  of  system/decision  uncertainty.  This 
metric  allows  for  a  comparison  of  the  effective  system  performance  of  redundant 
structures.  Further,  the  widespread  application  of  entropy  attests  to  its  fundamental 
nature  and  allows  for  linkage  into  a  more  comprehensive  system  representation  of 
uncertainty  by  incorporation  of  other  system  entropies. 

9 .  The  optimal  redundant  structure  for  fault-tolerance  is  reached  by  utilizing  a  highly 
reliable  control  stracture  at  the  greatest  level  of  redundancy  while  maintaining  near¬ 
perfect  FDI  at  all  levels  of  operation.  This  allows  maximizing  the  information  rate 
of  the  discrete  FDI  decision  scheme  while  minimizing  the  error  variance  of  the 
controlled  parameter.  Further,  the  average  mission  or  period  of  working  operation 
is  increased  due  to  successive  stages  of  reduced  operation. 

10.  For  a  system  with  zero  shutdown  cost  and  high  false  alarm  cost,  the  general 
performance  of  a  redundant  structure  is  dependent  upon  the  quality  of  the  tests  and 
proper  design  of  the  decision  scheme.  Results  indicate  the  need  to  switch  the  FDI 
decision  scheme  for  different  stages  of  the  mission  in  all  but  the  most  perfect  case. 
Any  detection  schemes  of  poor  or  worse  quality  are  generally  not  utilized. 
However,  a  redundant  structure  with  shutdown  capability  must  incorporate  at  least 
one  quality  test  in  order  to  improve  upon  single  stracture  performance. 

Novel  contributions  of  this  thesis  include: 

*  Analysis  of  the  sensitivity  of  the  FDI  scheme  to  multiple  faults. 

*  A  more  optimal  fault  detection  scheme  for  triple  redundant  structures. 

*  Analysis  and  comparison  of  the  uncertainty  within  redundant  structures. 
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Chapter  2:  Error  Analysis  of  the  Control  Structure 


Computer  applications  have  been  widespread  since  the  first  real-time  minicomputer 
implementation  for  process  measurement  and  control  in  1958.  Progress  has  been 
especially  rapid  since  the  introduction  of  the  microcomputer.  Successful  integration  of  the 
computer  system  within  the  process  control  loop  relies  directly  upon  accurate  inpul/oulput 
(I/O)  interfacing.  Yet  many  current  designs  of  data  acquisition  and  control  actuation  are 
based  on  traditional  "cookbook"  methods.  Economic  and  performance  requirements 
demand  improved  error  accountability  and  reduced  product  variability  through  a 
comprehensive  quantitative  analysis  of  the  interface  from  sensors  to  actuators.  This 
mathematical  model-based  approach  provides  a  definitive  framework  on  which  to  build 
intelligent  control.  A  typical  control  structure  is  presented  in  Figure  2.1.  This  structure 
can  represent  either  the  inner-loop  digital  control  of  the  process  (Figure  2.2)  or  an  outer 
loop  observer/planner  to  reason  qualitatively  about  the  system  (Figure  2.3). 


Signal  Conditioning  Signal  Acquisition  Controller/Observer/Planner  Signal  Interpolation 


Figure  2.1  Typical  Control  Structure 


12  bits 

Signal 

Signal 

1 _ 

Acquisition 

^ - 

Processing 

◄ - 

Figure  2.2  Inner  Loop  Control 


Qualitative  Observer/Planner 


X  =  State  Estimates 
Figure  2.3  Outer  Loop  Observer/Planner 
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An  analysis  by  Garrett  of  the  typical  control  structure  describes  each  functional 
component  of  the  system  and  provides  a  tabular  form  for  itemizing  worst-case  errors. 
[Garrett]  This  error  budget  presents  all  error  sources  and  their  bounds  in  a  standard  format 
to  allow  comparison  and  combination  of  all  system  errors.  Thorman’s  analysis  of  an 
existing  control  structure  is  presented  in  Figure  2.4  (see  also  Appendix  A)  as  an  example  of 
an  error  budget.  [Thorman]  Three  error  characteristics  are  encountered  in  practice: 
average,  systematic,  and  random.  Average  error  is  the  mean  value  of  parameter  variation, 
as  represented  by  hardware  and  sampling  errors.  Systematic  errors  are  those  which  vary  as 
a  function  of  operating  conditions,  such  as  device  temperature  drift  and  intersample  error. 
Random  errors  are  parameter  variations  possessing  a  probability  density  function  (pdf), 
such  as  signal  quality  and  device/system  noises.  All  values  are  given  in  terms  of  percent  of 
full  scale  measurement  (%FS)  in  order  to  provide  a  common  scale  for  comparisons.  The 
Central  Limit  Theorem  dictates  that  the  pdf  of  random,  uncorrelated  errors  is  approximated 
by  a  normal  or  Gaussian  distribution  over  a  large  (infinite)  number  of  samples.  The 
characteristic  bell-shaped  curve,  as  depicted  in  Figure  2.5,  is  completely  defined  by  its 
mean  (|i  =  summation  of  all  average  errors)  and  standard  deviation  (a  =  root-sum-square  of 
all  random  and  systemic  errors).  This  orthogonal  summation  of  component  Gaussian 
distributions  is  due  to  the  independent  or  uncorrelated  nature  of  the  error  sources  (the  RSS 
cross-product  terms  are  zero).  [Papoulis,  Peebles]  Error  terms  may  now  be  quantified  and 
combined  to  provide  an  overall  measure  (or  window)  of  performance  for  the  current  design 
and  environment  of  the  control  structure.  Equation  2.1  presents  the  conditional  error 
density  function  for  the  analyzed  control  structure  given  that  the  structure  is  reliable  or 
functioning  properly  (Section  3.2).  This  window  of  performance  is  the  basis  for  our  fault 
detection  scheme  discussed  in  Chapter  4. 


System  Element 


Error  (%FS) 


Sensor  linearization 

0.0111 

Cold  junction  compensation 

0.0222 

Input  RC  filter 

0.0001 

Signal  quality 

0.2370 

OP-07  amplifier 

0.0370 

CMOS  multiplexer 

0.0110 

A/D  converter 

0.0066 

Intersample 

0.0319 

Sine 

0.0150 

Aliasing 

0.2205 

Mean  value  (p) 

0.0484 

RSS  value  (a) 

0.3276 

Existing  measurement  error  bound 

0.3760  %FS 
(6.77  °C) 

Figure  2.4  Example  Error  Analysis  for  a  Control  Structure 
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Figure  2.5  Control  Structure  Error  PDF 
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(Equation  2.1) 


Our  attention  now  turns  to  achieving  the  design  with  the  lowest  error  bound  and, 
therefore,  the  best  performance.  The  most  efficient  estimator  of  the  control  signal  has  the 
smallest  variance  (o^)  in  the  error.  Error  variance  can  be  minimized  through  proper  use 
and  configmation  of  each  system  parameter  and  component.  The  following  sections  are 
devoted  to  the  understanding,  quantization,  and  minimization  of  the  major  error  sources 
within  the  control  structure.  Our  end  result  is  a  stationary  Gaussian  error  function  with 
mean  |j.  and  minimal  variance  G^  associated  with  the  given  control  structure  and  conditioned 
on  its  normal  operation  (i.e.  no  faults). 


17 


2. 1 .  Average  Filter  Error 


Standard  signal  conditioning  practice  dictates  the  need  for  a  lowpass  filter  whose 
cutoff  frequency  is  placed  at  the  highest  frequency  of  interest  in  the  system.  Requirements 
for  signal  bandlimiting  in  data  acquisition  and  conversion  systems  include  signal  quality 
upgrading  (section  2.2)  and  aliasing  prevention  (section  2.3.3).  However,  when  a  filter  is 
superimposed  on  the  measured  signal,  filter  gain  and  phase  deviations  fi*om  the  ideal  result 
in  a  signal  amplitude  error  that  constitutes  component  error.  Filter  gain  error  is  the  primaiy 
source  of  error  for  both  DC  and  sinusoidal  signals  because  single  line  spectra  are 
unaffected  by  filter  phase  nonlinearities.  Laube  analyzed  the  passband  gain  deviation  for 
three  common  filters  with  reference  to  0  Hz  (Figure  2.6).  [Laube]  Most  applications  are 
best  served  by  the  3-pole  Butterworth  filter  which  offers  good  stopband  attenuation  and 
0.2%FS  error  for  50%  spectral  occupancy  of  the  passband.  Of  significance  is  that  small 
filter  component  error  can  be  achieved,  with  a  small  sacrifice  of  the  total  filter  bandwidth, 
by  restricting  signal  spectral  occupancy  to  a  fi-action  of  the  filter  cutoff  fi-equency. 


Figure  2.6  Passband  Gain 
Deviations  for  Three  Filters 
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2.2.  Signal  Quality 


The  basic  signal  conditioning  structure  of  the  preamplifier  and  filter  is  commonly 
used  to  reduce  the  interference  of  unwanted  signals  (noise).  Garrett  analyzed  signal 
corruption  due  to  random  Gaussian  noise  or  coherent  sinusoidal  interference.  [Garrett]  The 
signal-to-noise  ratio  (SNR)  is  a  dimensionless  ratio  of  signal  power  to  noise  power  which 
provides  a  measure  of  the  interference.  Equations  2.2  -  2.5  allow  determination  of  the 
filter  output  SNR  by  accounting  for  the  effects  of  signal  conditioning  and  either  random  or 
coherent  noise  on  the  measured  input  SNR.  SNR  will  be  expressed  as  the  squared  rms 
ratio  of  full  scale  signal  amplitude  to  maximum  noise  amplitude  (assuming  equal  resistance 
for  both).  In  Equation  2.3,  the  resistances  to  the  signal  and  noise  sources  within  the 
amplifier  are  represented  by  the  differential  and  common-mode  impedances,  respectfully. 
The  amplifier's  common-mode-rejection-ratio  (CMRR)  is  squared  in  order  to  convert  its 
ratio  of  differential  to  common-mode  voltage  gains  into  a  power  ratio.  The  filter’s 
efficiency  (k)  represents  its  approximation  to  ideal  matched-filter  signal  conditioning  with 
respect  to  random  interference  (Equation  2.4)  and  any  coherent  sinusoidal  interference 
tfcoh)  beyond  the  filter’s  cutoff  frequency  (fg)  will  be  greatly  attenuated  (Equation  2.5). 


SNR  input  = 

2 

dc  rms 

or 

(Equation  2.2) 

Lv,,  J 

dc  rms 

SNR  amp  = 

SNR  input^ 

*  CMRR'^  *  - 2SL_ 

Rdiff 

(Equation  2.3) 

Filter  SNR 

random 

SNR  amp  * 

^  hi 
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(Equation  2.4) 

Filter  SNR 

coherent 

SNR  amp  * 

1  ^  )  ] 

(Equation  2.5) 
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The  filter  output  SNR  is  used  directly  in  determining  the  signal  quality  (equations 
2.6,2.7).  The  squ^e  root  of  the  SNR  is  the  ratio  of  full  scale  signal-to-noise  amplitudes. 
For  coherent  interference,  signal  error  (%FS)  or  the  ratio  of  full  scale  noise-to-signal 
amplitudes  is  easily  found  from  the  inverse  of  the  SNR  square  root  (Equation  2.6). 


For  random  Gaussian  noise  (Figure  2.7),  the  signal  error  pdf  must  be  evaluated  at  the  noise 
region  (AA)  centered  about  the  true  signal  amplitude  (A)  in  order  to  achieve  68% 
confidence  (i.e.  ±  one  standard  deviation)  in  accordance  with  our  signal  error  distribution. 
The  erf  function  approximates  the  area  (probability)  under  the  standard  Gaussian  curve 
(zero  mean  and  unit  variance)  within  some  region  centered  about  the  mean.  [Schwartz] 
Transformation  to  the  standard  distribution  (x  transformed  to  z)  requires  normalization  of 
the  delta  region  by  full  scale  conditions  (the  SNR  square  root).  Here,  the  erf  function  is 
given  in  terms  of  the  Q  function  which  represents,  in  a  tabular  form,  the  area  under  the 
curve  for  all  values  greater  than  z.  [Shanmugam]  When  erf(z)  is  evaluated  at  68% 
probability,  the  error  contribution  due  to  random  interference  can  be  determined 
(Equation  2.7). 
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(transformation  to  Standard  Distribution) 


erf(z)  =  1  -  2Q(z^~2)  =  68%; 


(from  Q  Table:  Q(l)  =  16%) 


(Equation  2.7) 


Figure  2.7  Random  Gaussian  Interference 
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2.3.  Sampled  Data 


Digital  transmission  of  analog  signals  is  possible  by  virtue  of  the  sampling  theorem 
which  tells  us  that  an  analog  signal  can  be  reproduced  from  an  appropriately  spaced  set  of 
its  samples.  True  reproduction  of  the  signal  requires  a  number  of  ideal  conditions: 
bandlimited,  continuous  signal;  infinite,  impulse  sampling;  and  ideal,  lowpass 
interpolation.  Most  physical  signals  may  be  considered  bandlimited  due  to  the  small 
amplitude  of  high-frequency  components.  Practical  application  and  system  stability 
requirements  enforce  sampling  of  finite  rate  and  pulse  width.  The  ideal  interpolation 
function  cannot  be  physically  realized  because  its  noncausal  impulse  response  requires  an 
output  that  anticipates  its  input.  Therefore,  in  practice,  these  factors  make  it  impossible  to 
exactly  reproduce  a  continuous  signal  from  the  sampled  signal  even  if  the  sampling  theorem 
is  satisfied.  [Kuo] 

2.3.1.  ZOH  Amplitude  or  Sine  Error 

Convolution  of  the  analog  signal  and  an  instantaneous  sampling  function  leads  to  a 
spectrum  consisting  of  the  original  baseband  spectrum  of  the  signal  and  its  replication 
around  each  of  the  harmonics  of  the  sample  frequency.  For  sample-and-hold  (S/H) 
applications,  sine  attenuation  of  these  images  occurs  due  to  the  transfer  function  of  a  zero- 
order-hold  (ZOH).  In  Figure  2.8,  Kuo  derives  the  transfer  function  and  frequency  domain 
representation  for  a  ZOH.  [Kuo]  In  Figure  2.9,  Garrett  shows  the  effect  of  the  sine 
attenuation  on  a  sampled  sinusoidal  signal.  [Garrett]  The  ZOH  behaves  essentially  as  a 
nonideal  lowpass  filter,  imposing  signal  amplitude  and  phase  error  within  the  bandwidth 
(BW).  Clearly,  the  accuracy  of  the  ZOH  as  an  extrapolating  device  depends  greatly  on  the 
sample  frequency.  Garrett  approximates  the  error  imposed  by  sine  attenuation  with  the 
average  baseband  amplitude  error  expressed  in  %FS  departure  from  unity  gain  (Equation 
2.8).  [Garrett]  As  the  sample  frequency  fg  approaches  the  spectral  occupancy  of  the  signal, 

the  sine  error  becomes  more  predominant. 
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ZOH  Transfer  Function 


g^,(t)  =  u(t)-u(t.T)  ^ 


GzohO'ra)  = 


exp(-jCJT/2)  [exp(jC3T/2)  -  exp(-jCJT/2)] 
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G  ,  (jGJ)  =  2  *  sin((ST/2)  *  exp(-jroTO  ^  ^  *  sinc(t3/05s)  *  exp(-jG5T/2) 

zon  yj 


amplitude  phase 


Figure  2.8  ZOH  Transfer  Function  and  Frequency  Domain  Representation 


Figure  2.9  Image  Spectra  of  Sampled  Sinusoid  Signal 


ZOH  Amphtude  ot  Sine  Bim  Esinc  =  50%FS  *  [  1  -  sinc(^)]  (Equation  2. 8) 


2.3.2.  ZOH  Phase  or  Intersample  Error 


The  step-interpolation  of  the  ZOH  assumes  the  last  sampled  value  is  true  until  the 
next  sample.  Evaluation  at  the  sample  frequency  of  the  phase  term  of  the  ZOH  transfer 
function  determines  that  the  sampled  signal  exhibits  an  average  time  delay  equal  to  half  the 
sample  period.  Intersample  error  is  the  variation  between  the  actual  signal  and  its  ZOH 
step-interpolated  representation.  In  Figure  2.10,  Garrett  depicts  the  intersample  error  for  a 
sampled  sinusoidal  signal  due  to  the  ZOH  signal  delay.  The  worst-case  intersample  error  is 
found  by  Garrett  through  the  following  set  of  equations  working  in  the  time  domain. 
Maximum  peak-to-peak  (pp)  error  is  found  assuming  a  sinusoidal  signal  at  its  maximum 
rate-of-change  zero  crossing  (Equation  2.9). 


AVpp  = 


dv 

Ts*  — 


intersample  error  (pp) 


=  Tg*  —  Vpksin(2jrBWt) 


t=0 


=  27CT3BWVp„ 


(Equation  2.9) 


Conversion  to  root-mean-square  (rms)  error  by  Equation  2.10  requires  normalization  by 
the  signal's  sinusoidal  pp/rms  factor  and  the  intersample  triangular  pp/rms  factor  due  to  the 
error  waveform  in  Figure  2.10. 
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intersample  error  (rms) 
(Equation  2.10) 
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Finally,  intersample  error  is  provided  in  terms  of  %FS  (Equation  2.11).  [Garrett] 
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Due  to  the  poor  interpolation  of  the  ZOH,  intersample  error  contributes  greatly  to  the 
system  error  budget.  Its  minimization  requires  a  high  fs/BW  ratio  or  a  more  ideal  filter 
(see  section  2.4)  to  provide  smoother  signal  recovery  between  samples. 


Figure  2.10  Intersample  Error 


2.3.3.  Aliasing  Error 


By  the  sampling  theorem,  the  minimum  sample  rate  (fg)  allowing  signal 
reconstruction  is  twice  the  signal  bandwidth.  Infinite  sampling  is  ideal,  but  practical 
application  and  system  stability  enforce  a  finite  maximum  rate.  As  the  sample  frequency  is 
reduced,  samples  move  further  apart  in  the  time  domain  and  images  move  closer  in  the 
spectrum.  Signal  aliasing,  or  spectral  overlap  of  the  baseband  and  its  images,  occurs  when 
the  folding  frequency  (fo  =  fg/I)  meets  the  baseband.  In  general,  sample  frequency  can  be 

set  high  enough  to  readily  avoid  this  problem  of  signal  aliasing.  [Kuo] 

Of  greater  concern  and  complexity  is  noise  aliasing.  Coherent  and  random  noise 
sources  above  the  folding  frequency  are  heterodyned  within  the  signal  baseband  as  a 
consequence  of  the  convolution  of  noise  and  the  sampling  function  (Figure  2.11  by 
Garrett).  This  generation  of  intermodulation  distortion  cannot  be  removed  by  later  signal 
conditioning.  The  pre-sampling  filter  used  for  signal  quality  upgrading  (Section  2.2)  is  our 
only  protection  against  noise  aliasing.  The  filter  of  order  n  will  attenuate  all  unwanted 
noise  outside  its  cutoff  frequency  in  order  to  substantially  reduce  undersampling.  This 
observation  can  also  be  made  from  the  aliasing  error  equations  derived  by  Garrett 
(Equations  2.12-2.15).  [Garrett]  Aliasing  error  due  to  coherent  interference  in  the  source 
band  m  (Equation  2.12)  is  determined  from  the  heterodyned  noise  amplitude  after  its 
attenuation  by  the  filter  and  the  sampling  sine  function. 
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where  n  =  filter  order 

m  =  noise  source  band 


(Equation  2.12) 
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Aliasing  error  due  to  random  interference  up  to  the  amplifier's  cutoff  frequency  (fhi) 
(Equation  2.15)  is  determined  from  the  SNR  as  per  Equation  2.7.  The  power  of  the  aliased 
random  noise  is  approximated  in  Equation  2.13  by  summation  of  the  attenuated  noise 
amplitudes,  squared  for  power,  at  each  harmonic.  Note  that  heterodyned  random  noise 
sources  may  be  considered  out  to  the  first  harmonic  (m  =  1)  only  due  to  the  filter 
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Figure  2.11  Aliasing  of  Coherent  and  Random  Noise 


2.4.  Signal  Recovery  or  Interpolation  Error 


Our  error  analysis  in  previous  sections  focussed  on  the  conditioning  and  digital 
encoding  of  a  continuous  analog  signal  for  subsequent  manipulation  within  a  computer. 
Yet,  the  design/analysis  of  computer  real-time  data  conversion  and  recovery  systems  must 
be  considered  jointly.  Signal  recovery  involves  a  digital-to-analog  converter  (DAC) 
followed  by  a  bandlimiting  function  (e.g.  linear  first-order-hold  (FOH),  RC  orButterworth 
filter,  closed-loop  control  system,  etc.)  to  attenuate  the  repetitive  sampled-data  frequency 
spectra  down  to  its  true  baseband  spectra  (Figure  2.12  by  Garrett).  By  itself,  the  DAC 
merely  provides  the  ZOH  step-interpolated  representation  of  the  signal  with  its  associated 
amplitude  and  phase  error  (assuming  zero  computational  delay).  The  output  interpolator 
will  provide  signal  filtering  more  ideal  than  the  ZOH  (see  section  2.3  and  the  example 
error  budget  Figure  2.4).  By  including  this  improved  interpolator,  an  error  budget  for  the 
entire  control  structure  will  allow  replacement  of  the  large  intersample  error  of  signal 
conversion  with  the  interpolation  error  of  signal  recovery. 


Linear 
Interpolator 
Output  y. 


Step 

Interpolator 
Output  Vg 


FUter 
Output  Vf 


Figure  2.12  Signal  Recovery  Techniques 


Garrett  derives  the  interpolation  error  in  the  frequency  domain  from  the  achieved 
mean-squared-error  (MSE)  of  the  sampled-data  signal.  [Garrett]  The  MSE  relationship  has 
the  dimension  of  rms  volts  squared  and  is  depicted  by  signal  image  spectra  existing  above 
the  baseband.  For  an  input  sinusoid,  the  MSE  of  the  DAC  output  is  the  infinite  sum  of 
each  spectral  image's  power  as  attenuated  by  the  sine  amplitude  response  of  the  ZOH 
(Equation  2.16).  This  representation  of  the  unwanted  spectral  images  or  noise  can  be 
approximated  by  considering  only  the  first  term  with  a  constant  1.644  multiplier  (Equation 
2.17).  [Brockman] 

OO 

MSE  =  I  |^sinc^(^k  -  +  sinc^^k  +  J(rms)^  (2.16) 

k=l 

MSE  =  1.644  [sinc^^l  -  +  sinc^^l  +  J(rms)^  (2.17) 

s  s 

The  output  SNR  and  interpolation  error  (Equations  2.18,2.19)  for  a  coherent  signal  (as  per 
section  2.2)  are  computed  directly  from  the  signal  MSE. 
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This  frequency-domain  approximation  for  the  DAC  interpolation  error  can  be  proven 
equivalent  to  our  time-domain  approximation  of  intersample  error  (section  2.3.2)  under 
proper  operating  conditions  (large  fg/BW  ratio). 
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The  interpolation/intersample  error  of  the  system  is  reduced  upon  considering  the  output 
filter’s  further  attenuation  of  the  signal’s  spectral  images  (Figure  2.13  by  Garrett).  A 
comparison  of  the  performance  of  four  output  interpolators  (Figure  2.14  by  Garrett) 
highlights  the  convergence,  with  increasing  order  of  interpolator,  towards  ideal  signal 
recovery. 

One  concern  in  using  an  output  interpolator  is  the  associated  time  delay  or  phase  lag 
of  the  signal-smoothing  component.  A  basic  tenet  of  control  engineering  is  that  this  delay 
leads  towards  system  instability.  We  can  sidestep  this  problem  by  considering  the  intrinsic 
bandlimited  response  of  the  closed-loop  system.  For  example,  a  first-order  system 
response  can  be  characterized  by  a  single-pole  RC  filter  which  would  perform  as  an 
improved  interpolator  during  signal  recovery.  Interpolation  error  is  determined  with  the 
RC  filter  equation  of  Figure  2. 13. 
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Figure  2.13  Output  Interpolator  Equations 


Figure  2.14  Output  Interpolator  Comparison 


2.5.  Conclusions 


The  analy^js  of  a  typical  control  structure  provides  a  tabular  form  (or  error  budget) 
for  itemizing,  quantizing,  and  minimizing  worst-case  errors  of  an  average,  random,  or 
systematic  nature.  The  result  is  a  stationary,  Gaussian  error  function  of  minimal  mean  and 
variance  conditioned  on  the  reliable  performance  of  the  control  structure.  This  probability 
density  function  defines  the  uncertainty  of  the  control  structure  at  any  given  point  in  time  of 
its  operation  (i.e.  what  exactly  is  the  value  of  the  control  signal  u?).  However,  we  are  also 
uncertain  as  to  whether  the  control  stracture  is  operating  properly  at  this  stage  in  its  lifetime 
or  mission.  This  uncertainty  is  represented  by  the  probability  density  function  of  the 
control  structure’s  reliability  as  a  function  of  time.  The  following  chapter  reviews 
reliability  theory  and  proposes  a  failure  rate  budget  (the  conceptual  equivalent  to  the  error 
budget)  which  will  be  the  basis  for  the  reliability  pdf  of  the  control  structure. 
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Chapter  3 :  Analysis  of  Redundant  Structures 


Human  capabilities  to  conceptualize  many  systems  with  accurate,  real-time  process 
models  have  been  challenged.  Instead  of  modelling  the  process,  an  error  analysis  of  the 
control  structure  provides  a  minimized  Gaussian  error  function  (Chapter  2)  by  accounting 
for  all  sources  of  error  in  a  tabular  form.  In  a  similar  fashion,  a  reliability  analysis  of  the 
control  structure  provides  a  maximized  exponential  reliability  function  (Section  3.3)  by 
tabularizing  all  component  failure  rates.  These  models  provide  a  complete  concept  of  all 
a  priori  knowledge  of  the  control  structure.  Entropy  provides  a  measure  of  this  a  priori 
knowledge  or,  more  appropriately,  lack  of  knowledge  (i.e.  ignorance/uncertainty)  in  terms 
of  the  modelled  probability  functions  (Chapter  5).  It  is  found  that  these  functions  conform 
to  Jaynes'  method  of  maximum  entropy  where  a  chosen  model  remains  minimally 
prejudiced  with  respect  to  any  missing  information.  Thus,  our  error  and  reliability  models 
exhibit  a  dualism  in  their  origination  and  application.  Further,  these  models  can  be 
optimized  with  respect  to  each  application  based  on  the  give-and-take  between  the  costs  of 
various  sources  included  in  the  error  and  failure  rate  budgets. 

Redundancy  allows  further  improvement  of  the  control  structure’s  error  and 
reliability.  For  example,  the  deviation  in  the  error  function  of  the  control  signal  is  reduced 
through  the  averaging  of  the  redundant  outputs,  owing  to  the  essentially  uncorrelated  error 
contributions  of  each  structure's  elements  (Section  3.2).  This  reduction  in  error  variance  is 
shown  to  be  optimal  with  respect  to  redundant  hardware  for  two  structures.  Analysis  of 
redundant  structures  shows  additional  benefits  in  improved  reliability  (Section  3.4) 
occurring  with  each  level  of  redundancy.  Each  additional  structure  in  a  redundant 
configuration  provides  an  order  of  magnitude  improvement  in  the  reliability  of  the 
configuration  during  short  term  missions  or  earlier  periods  of  extended  operation. 
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However,  these  benefits  are  only  possible  at  the  cost  of  increased  entropy  or  uncertainty 
with  each  level  of  redundancy  (Chapter  5).  An  attempt  to  recoup  these  losses  via  fault 
detection  and  isolation  (FDI)  techniques  is  presented  in  Chapter  4. 

The  Dual-Difference  Redundant  Structure  (DDRS)  is  based  on  two  identical  control 
structures  (Figure  3.1).  Redundancy  may  be  in  part  (semi-redundancy.  Figure  3.2)  or  in 
full  (from  sensors  to  actuators)  for  the  control  structure  presented  in  Chapter  2  (Figure 
2.2).  As  with  a  single  control  structure,  the  DDRS  may  be  implemented  directly  within  the 
inner  loop  for  digital  control  (Figure  3.3)  and/or  removed  to  an  outer  loop  to  observe  the 
process  (Figure  3.4).  Note  that  the  process  is  noi  included  within  the  DDRS.  This 
becomes  a  key  issue  in  Chapter  4  which  highlights  the  direct,  intuitive  nature  of  our  fault 
detection  scheme  and  distinguishes  it  from  other  current  research  which  emphasizes 
process  modelling. 


Figure  3.1 


Dual-Difference  Redundant  Structure 
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Figure  3.2  Dual  Semi^Redundant  Structure 


Figure  3.3  Inner  Loop  Digital  Control 


Figure  3.4  Outer  Loop  Observer/Planner 
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3.1.  Redundancy 


Traditional  majority-voting  schemes  dictate  the  use  of  redundant  control  stmctures 
for  fault-tolerant  control.  Redundancy  is  defined  as  the  property  of  a  device  or  system 
wherein  it  has  more  than  one  means  of  performing  its  function.  This  redundancy  consists 
of  spare  modules,  complete  spare  hardware  structures,  or  analytical  models  which  are 
available  to  mask  faults  (passive  redundancy)  or  be  switched  on-line  in  the  place  of  faulty 
modules  or  structures  (active  redundancy).  For  active  redundancy,  these  spare  systems 
may  be  'hot'  (i.e.  continuously  processing)  and  can  therefore  be  switched  in  to  control  the 
process  with  little  or  no  disruption.  Status  information  may  be  shared  between  redundant 
structures  to  verify  their  performance  and  averaging  will  provide  a  best  estimate  of  the 
control  output.  If  a  fault  is  detected,  system  reconfiguration  entails  either  switching  the 
faulty  structure  off-line  or  simply  not  including  it  within  the  averaged  output;  thereby, 
continuous  system  control  is  maintained  but  at  reduced  efficiency.  Synchronization  allows 
this  sharing  of  data  between  redundant  structures  on  a  real-time  basis  and  minimizes  the 
interruption  in  active  control  of  the  process  during  switchover.  In  a  loosely  coupled 
system,  the  processors  would  run  asynchronously  due  to  their  separate  clocks;  therefore 
each  processor  would  have  to  stop  at  intermediate  places  called  checkpoints  so  that  they 
could  check  on  the  each  other’s  performance.  An  alternate  form  of  active  redundancy 
allows  the  spare  systems  to  be  'standby'  (i.e.  not  processing)  but  this  can  cause  a  much 
larger  switchover  delay.  Here,  the  spare  system  can  monitor  the  process  and  take  over 
when  a  lack  of  control  is  detected.  System  reconfigiuation  entails  utilization  of  the  spare 
modules  or  stmctures  for  piecewise  replacement  of  faulty  parts,  thereby  allowing  continued 
system  control  at  the  same  efficiency  but  only  after  a  sometimes  substantial  delay.  [Walker] 

Triple  modular  redundancy  (TMR)  is  the  most  common  form  of  passive 
redundancy.  Three  hot,  identical  control  stmctures  are  used  to  mask  a  fault  on  any  single 
stmcture.  A  mid-value  selection  algorithm  selects  the  middle  value  of  the  three  output 
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control  signals.  This  algorithm  provides  essentially  perfect  coverage  for  the  first  failure, 
since  in  order  for  a  failed  structure’s  signal  to  be  selected  for  control  of  the  process  it  would 
have  to  be  in  the  middle  of  the  two  valid  structure’s  signals.  In  addition,  this  algorithm 
allows  continuous  system  control  with  zero  recovery  time  for  the  first  failure.  Finally,  this 
algorithm  requires  no  intensive  computations  or  processing  because  no  fault  detection  is 
attempted  and  therefore  no  computer  is  required.  It  is  this  simplicity  of  the  TMR  concept 
that  has  made  it  one  of  the  most  popular  designs  for  fault-tolerant  control.  The  primary 
disadvantage  of  TMR  is  that  it  is  unlikely  for  the  mid- value  selection  algorithm  to  select  the 
valid  output  signal  in  the  event  of  a  second  failure  (1  in  3  chance).  The  TMR  concept  can 
be  expanded  to  N  modular  redundancy  (NMR)  so  that  (N-l)/2  failures  can  be  tolerated. 
For  example,  the  space  shuttle’s  main  computer  uses  a  4MR  scheme.  However,  the  use  of 
passive  redundancy  to  screen  out  the  effects  of  the  first  failed  structure  is  in  many  cases  an 
insufficient  response  to  the  presence  of  a  failure  in  a  system.  [Walker] 

The  DDRS  is  based  on  two  identical  control  structures  (Figure  3.1)  whose 
sampling  is  synchronized  by  a  common  sync  pulse  from  the  computer.  Both  structures  of 
the  DDRS  are  hot  and  their  outputs  are  averaged  (u)  in  order  to  ensure  agreement  in  their 
control  demands.  The  deviation  au  in  the  conditional  error  function  (Equation  3.1)  is 
reduced  through  the  averaging  of  redundant  outputs,  owing  to  the  essentially  uncorrelated 
error  contributions  of  each  structure's  elements.  The  controller  outputs  are  also  differenced 
in  order  to  check  for  consistency  in  their  operation.  This  provides  a  sufficient  statistic  or 
residual  (r)  for  fault  detection  (Equation  3.2).  The  common  bias  or  mean  value  Pr  of  tiie 
error  function  is  removed  (i.e.  reduced  to  zero)  upon  differencing  and  the  deviation  Gr  is 
increased.  Status  information  is  shared  at  the  computer  and,  if  one  structure  is  found  faulty, 
then  system  reconfigiu^tion  consists  of  ignoring  the  failed  controller's  input  in  determining 
the  output  control  signal.  Of  course,  this  causes  a  subsequent  increase  in  the  system  error 
(using  Equation  2.1)  and  unreliability. 
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£(x  I  Both  Structures  Reliable)  =  Gaussian  (m,  =  it ,  CTu  =  M  Random  2  Systematic  ^ 

Conditional  Error  function  of  Average  (Equation  3.1) 

r(x  I  Both  Structures  Reliable)  =  Gaussian  =  0,  Smdom  System^  =  ^ 

Conditional  Error  function  of  Residual  or  Difference  (Equation  3.2) 


3.1.1.  Error  Analysis  of  Redundant  Structures 

The  combined  sensor-to-actuator  error  budget  tabulated  in  Figure  2.4  defines  the 
standard  deviation  a  of  the  conditioned  error  function  for  the  control  structure  under  normal 
operating  conditions.  This  error  variance  can  be  further  reduced  through  the  averaging  of 
multiple  identical  structures,  as  defined  in  equation  3.4,  owing  to  the  essentially 
uncorrelated  error  contributions  of  each  structure's  elements.  [Raemer]  Evaluation  of  this 
equation  for  N  structures  discloses  a  30%  reduction  in  combined  error  for  two  parallel 
controllers  and  a  requirement  for  six  controllers  to  duplicate  this  amount  of  improvement 
for  60%  reduction  in  error.  This  result  identifies  an  optimization  of  error  reduction  and 
redundant  hardware  for  two  structures  averaged!  Under  normal  conditions.  Equation  2.1 
is  used  to  determine  the  standard  deviation  for  a  single  structure's  Gaussian  error  function 
and  Equation  3.4  is  subsequently  used  for  redundant  structures. 
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=  7^  ’  Average(o)  =  N'^ 


a  ,  ,  =  *  N  ♦  a  = 

redundant 


+  a 


N 


N 

=  ^y  a 

i  =  l 

for  N  parallel 


structures 


i  =  l 

for  N  identical  parallel  structures 

(Equation  3.3,  3.4) 
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Under  faulty  conditions,  the  error  deviation  is  drastically  increased.  A  uniform 
fault  distribution  is  assumed  for  the  control  structure  where  the  fault  magnitude  is  allowed 
to  achieve  any  magnitude  up  to  fullscale  (FS)  value  for  the  control  parameter  with  equal 
probability.  A  uniform  probability  density  of  base  width  a  =  2FS  has  a  standard  deviation 

of  0.577  FS  by  Equation  3.5:  [Peebles] 


g  ^  2FS 

/i2  /12 


This  error  variance  can  also  be 


for  failed  structure  with  uniform  fault  density 

(Equation  3.5) 

further  reduced  through  the  averaging  of  multiple  identical 


structures,  as  defined  in  equation  3.3,  owing  to  the  essentially  uncorrelated  error 
contributions  of  each  stmcture's  elements. 


Op  ^  'CO 

a.rr-  =  — ^  =  for  N  failed,  identical,  parallel  stmctures 

NF  /N  ' 


12N 


(Equation  3.6) 

Finally,  redundant  structures  have  possible  system  states  which  consist  of  n  failed 
structures  and  m  working  structures  (n+m  <  N).  Equation  3.7  is  utilized  to  determine  the 
resultant  error  deviation  for  this  system  state  of  the  redundant  structure. 


c  = 
nF 


Oc  =  —  for  n  failed  and  m  working  structures 

n  +  m  F  n  +  m  * 


(Equation  3.7) 

The  Central  Limit  Theorem  dictates  that  the  probability  density  function  of  the  sum  of  a 
large  number  of  random  variables  approaches  a  Gaussian  distribution.  In  particular, 
Peebles  found  that  the  summation  of  independent  uniformly  distributed  random  variables 
can  be  closely  approximated  by  a  Gaussian  density  with  equivalent  mean  and  variance; 
even  for  the  case  of  only  two  variables  summed.  Hence,  the  conditional  error  distribution 
for  a  redundant  control  structure  with  two  or  more  failures  (n  ^  2)  is  represented  by  a 
Gaussian  density  with  zero  mean  and  standard  deviation  of  OnF-  Otherwise,  the 
conditional  error  distribution  for  a  redundant  structure  with  one  failure  (n  =  1)  is  uniform 
with  a  base  width  of  an  =  ot/N  =  2FS/N. 
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3.2.  Reliability 


Reliability  (R)  is  frequently  considered  to  be  the  capacity  of  a  module  or  system  to 
preserve  its  operating  characteristics  within  given  limits  and  under  specific  conditions  of 
stress  to  achieve  the  mission  of  interest.  It  represents  the  a  priori  cumulative  distribution 
for  the  probability  f(t)  of  system  failure  time  tf  (i.e.  when  the  system  passes  beyond  its 
given  limits)  from  the  given  time  t  to  infinity.  The  most  useful  way  to  express  the 
(un)reliability  and  its  associated  pdf  is  in  terms  of  the  system  failure  rate  (K)  or  its  inverse, 
mean  time  between  failures  (MTBF).  The  MTBF  is  the  expected  time  during  which  the 
system  will  perform  properly  between  or  until  failures.  Component  failure  rate  (A.i)  can  be 
estimated  from  observations  over  numerous  testing  cycles  and  is  usually  provided  by  the 
manufacturer  in  terms  of  MTBF  (Equations  3.8, 3.9). 

Component  Failure  Rate  (X,.)  = 

^  MiBr 

Estimated  Component  Failure  Rate  (^.)  =  — — f  failures  observed —  ^  ^ 

‘  #umts  tested  X  hours  tested  ‘ 

(Equations  3.8,  3.9) 

The  probability  of  system  failure  for  a  given  time  (density  function  f(t).  Equation  3.10)  or 
over  a  given  time  period  (Unreliability  distribution  Q(t),  Equation  3.12)  can  then  be 
evaluated.  [Walker] 

The  behavior  of  X  over  time  is  typically  represented  by  the  "bathtub"  curve  (Figure 
3.5).  During  the  early  failure  period,  weak  parts  that  are  marginally  functional  are 
eliminated  within  the  first  few  hours  of  operational  bum-in.  The  middle  section  of  the 
curve,  or  the  useful  life  period,  contains  the  smallest  and  most  nearly  constant  failure  rate. 
Here,  the  reliability  of  a  component  or  system  which  is  subject  to  failure  due  to  a  large 
number  of  independent  causes  is  characterized  by  an  exponential  pdf  (Figure  3.6,  Equation 
3.11)  much  in  the  same  way  that  the  normal  is  a  limiting  distribution  for  the  error  (as 
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dictated  by  the  Central  Limit  Theorem,  Chapter  1)  [Drenick].  This  dualism  is  further 
exhibited  in  that  both  the  error  and  reliability  distributions  are  maximized  with  respect  to 
entropy  (see  Section  3.5.1).  In  the  final  section  of  the  bathtub  curve,  device  strength 
deterioration  causes  wearout  failures  to  overcome  these  chance  failures  during  die  last  span 
of  system  life.  Thus,  the  complete  history  of  system  reliability  is  defined  by  the  history  of 
the  failure  rate.  The  useful  life  span  of  the  system  is  the  focus  of  our  discussion. 
[Bazovsky] 


Figure  3.5  Failure  Rate  Bathtub  Curve 
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Component  Failure  pdf  f.(t)  =  p(t  =  tp  =  Xjexp(-X.t) 


(Equation  3.10) 


Component  Reliability  Rj(t)  =  p(t<tp  =  J  f(t)3T  =  exp(-A,jt)  (Equation  3.11) 

t 

t 

Component  Unreliability  Qj(t)  =  p(t  ^  tp  =  Jf.(x)  01  =  1  -  exp(-X.t)  (Equation  3.12) 

0 


The  characteristic  property  of  the  exponential  distribution  which  is  associated  with 
the  useful  life  period  of  a  system  is  its  constant  failure  rate  or  lack  of  memory  property.  A 
component  does  not  "remember"  how  long  it  has  been  in  operation  (i.e.  how  many  times  it 
has  been  used).  Thus,  the  probability  it  will  fail  in  the  next  hour  of  operation  (Equation 
3.12)  is  the  same  if  it  were  new  (i.e.  unused),  regardless  of  its  accumulated  power-on 
hours.  Failure  becomes  merely  a  chance  occurrence.  An  additional  characteristic  of  the 
exponential  distribution  is  the  closure  property  of  failure  rates  for  serial  systems.  The 
failure  rate  of  a  serial  system,  where  M  components  operate  independently  and  the  system 
fails  when  the  first  component  fails,  is  the  sum  of  all  M  component  failure  rates  (Xi).  The 
control  structure  can  be  considered  a  serial  system  of  independent  components  (Figure 
2.1),  each  with  their  own  respective  component  failure  rates.  An  example  tabulation  of 
component  failure  rates  and  their  summation  for  structure  failure  rate  (Xtotal)  is  presented  in 
Figure  3.7.  By  the  independence  assumption,  the  reliability  probability  of  a  serial  system 
is  the  intersection  or  product  of  all  component  reliabilities  (i.e.  all  components  must  be 
working  for  the  system  to  work)  (Equation  3.13).  Thus,  the  exponential  distribution 
allows  the  closure  property  on  failure  rates  for  serial  systems.  Structure  unreliability  for 
each  controller  in  the  DDRS  is  the  complement  of  the  stracture  reliability  (Equation  3.14). 
[Bazovsky] 
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Structure  Reliability  R  s  =  Rj  n  ^  *  *  * 

=  exp(-  Xit)  *  exp(-  X2t)  *  •  •  •  exp(-  Xj^) 

=  exp  (-  (Xi  +  X2  +  •  •  *  ^m)  *  t) 


where  M  =  number  of  components  within  the  structure 


M 

Stmcture  Reliability  Rg(t)  =  ^  ^i(0  = 

i  =  l 


-X  t  ^ 

e  ®  where  X^  =  ^  Xj 


i  =  l 

(Equation  3.13) 


Structure  Unreliability  Q^Ct)  =  1  -  R^Ct)  =  1  -  e  (Equation  3.14) 


Component _ Failure  Rate  (per  hour)  Comments 


Sensor 

10-6 

Thermocouple 

Interface 

10-6 

Cold-junction  Compensation 

Filter 

10-5 

1-pole  RC 

Amplifier 

10-5 

OP-07 

Multiplexer 

10-5 

CMOS 

A/D  Convertor 

10-4 

12-bit  conversion 

Computer 

10-5 

IBM  AT 

Structure  Failure  Rate  (Xs) 

0.000142 

Summation  of  component  rates 

Stmcture  MTBF 

7042  hours 

Inverse  of  failure  rate 

Figure  3.7  An  Example  Structure  Failure  Rate  Budget 


n.e  need  for  higher  levels  of  reliability  increases  with  the  economic,  hazardous,  or 

other  consequences  of  equipment  failure  and  downtime.  Common  methods  of  reliabiiity 

enhancement  or  fault  avoidance  include:  operating  at  low  stress  (derating),  design 

simplfflcation  to  increase  component  reliability,  specification  of  premium  components  (as 

opposed  to  industrial  grade  parts  passed  within  ±3a  of  spec),  and  redundancy.  In 

applications  where  low  front  end  failure  rates  have  higher  priority  over  component  cost 

(e.g.  the  computer  systems  on  the  space  shuttle),  redundancy  of  key  parts  of  the  system  is 

a  commonly  used  oprion.  The  parallel  redundancy  of  the  DDRS  allows  system  reliability 

greater  than  that  of  a  single  control  stmcture.  Due  to  the  independent  operation  of  the 

parallel  stractures,  the  system  unreliability  of  a  parallel  system  (Equation  3.15)  is  the 

intersecdon  or  product  of  all  structure  unreliabUides  (all  stmctures  must  fail  for  the  system 

to  fail).  Since  each  probability  is  between  zero  and  one,  system  unreliabUity  wili  be  less 

dtan  either  stmcture’s  unreliability.  As  with  the  serial  and  parallel  error  equations,  semi- 

redundant  sducmres  must  make  use  of  both  equadons  3.14  and  3.15  in  detetmining  system 
unreliability. 


Parallel  Redundant  Structure  Unreliability  Qp(t)  =  =  (l-e  ^®)*^ 

i  =  l 

(Equation  3.15) 

Parallel  Redundant  Structure  ReKabiUty  Rp(t)  =  1  -  Qp(t)  =  i  -  (i  - 

(Equation  3.16) 


» 
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3.2.1.  Reliability  Analysis  of  Redundant  Structures 

The  relative  improvement  in  reliability  which  can  be  achieved  by  employing  active 
redundancy  is  illustrated  in  Figure  3.8  by  Walker.  In  this  figure,  the  unreliability  of  a 
single  structure  is  compared  to  the  unreliabilities  of  a  dual  and  triple  redundant 
configuration  of  identical  control  structures.  The  unreliability  q  of  each  configuration  is 
plotted  as  a  function  of  a  ratio  of  the  period  of  operation  t  and  the  structure's  mean  time 
between  failures  x  (lAg).  It  can  be  seen  that  the  maximum  benefit  of  redundancy  is 

achieved  during  early  operating  periods  with  respect  to  the  structure's  MTBF.  In  the  limit 
as  the  ratio  t/x  goes  to  zero,  the  slopes  of  the  curves  approach  N  decades  per  decade 
(where  N  =  number  of  structures  in  the  configuration).  Thus,  each  structure  in  a  redundant 
configuration  provides  an  order  of  magnitude  improvement  in  the  reliability  of  the 
configuration  during  short  term  missions  or  earlier  periods  of  extended  operation. 
However,  as  the  ratio  t/x  approaches  unity,  the  reliabilities  of  all  configurations  approach 
zero  and  the  benefits  of  redundant  structures,  although  present,  become  less  dramatic.  This 
reflects  the  fact  that  the  probability  that  even  one  of  the  identical  structures  will  still  be 
operating  at  MTBF  x  is  small  no  matter  what  level  of  redundancy  was  employed.  From 
this  analysis,  one  can  see  the  tremendous  benefits  in  reliability  possible  with  large 
configurations  of  active  structures  or  with  hybrid  redundancy  (any  combination  of  active 
and  standby  redundancy).  A  hybrid  redundancy  scheme,  consisting  of  a  number  of  active 
control  structures  (e.g.  DDRS)  employed  for  efficient  fault  tolerance  and  a  number  of 
standby  control  structures  which  can  be  switched  into  the  active  configuration  upon  the 
occurrence  of  a  fault  or  before  the  MTBF  is  reached,  can  achieve  any  specified  reliability 
goal  with  less  reliable  components  than  simply  an  active  redundant  scheme.  Of  course,  the 
additional  hardware  requires  more  expense  and  working  volume  than  can  usually  be 
afforded.  In  fact,  space  limitations  and  expense  are  two  major  reasons  why  redundant 
structure  configurations  are  avoided  and  research  has  shifted  to  analytical  redundancy. 
[Walker] 
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Figure  3.8  Unreliability  Comparison  of  Redundant  Configurations 


3.2.2.  Effect  of  System  Inspection  on  Reliability 

As  discussed  above,  system  reliability  is  represented  by  an  exponential  function 
during  its  useful  life  period  (Figure  3.6)  with  an  estimated  mean  time  before  failure  (MTBF 
=  l/X).  The  exponential  distribution  is  characterized  by  a  lack  of  memory  property;  its 
form  is  consistent  over  numerous  missions  during  its  useful  life  span,  irregardless  of  the 
number  or  length  of  the  missions.  However,  this  property  assumes  that  the  system  is 
inspected  for  faults  between  missions  and  found  to  be  operational.  The  following  analysis 
proves  the  lack  of  memory  property  of  the  exponential  distribution  for  failure  time 
(Equation  3.10).  Here,  the  system  is  inspected  at  time  ti  and  found  to  be  operating 
normally.  Thus,  the  time  of  failure  tf  for  the  system  must  be  greater  than  the  time  of 
inspection  (tf  >  ti).  The  conditional  probability  of  system  failure  time  given  normal 
operation  at  the  time  of  inspection  is  determined  in  Equation  3.17.  [Peebles]  The  result  is 
that  the  inspection  time  becomes  the  new  start  time  or  zero  reference  for  the  exponential 
distribution  associated  with  reliability  and  failure  time.  The  distribution  maintains  its  form 
and  is  simply  shifted  in  time  to  the  right. 


Failure  time  f(t  1 1  >  tj) 


a  Q(t)-Q(ti) 

at  i-Q(ti) 


X  exp(-X  [t  -  tj])  for  t  ^  tj 


(Equation  3.17) 


Figure  3.9  Reliability  Exponential  PDF  after  System  Inspection 
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3.3.  Conclusions 


The  control  structures  presented  in  this  thesis  are  designed  for  the  benefits  of 
redundancy.  The  deviation  in  the  error  distribution  of  the  control  signal  is  reduced  through 
the  averaging  of  the  redundant  outputs,  owing  to  the  essentially  uncorrelated  error 
contributions  of  each  structure's  elements.  This  reduction  in  error  variance  is  optimal  with 
respect  to  redundant  hardware  for  two  stmctures.  The  controller  outputs  are  also  combined 
in  order  to  provide  a  sufficient  statistic  or  residual  for  fault  detection  and  isolation  (FDI). 
Each  structure  in  a  redundant  configuration  provides  an  order  of  magnitude  improvement  in 
the  reliability  of  the  configuration  during  short  term  missions  or  earlier  periods  of  extended 
operation.  However,  redundancy  also  causes  an  increase  in  system  entropy  with  respect  to 
reliability  and  accuracy. 

The  results  of  previous  sections  on  reliability  have  assumed  perfect  coverage  of  all 
possible  faults  or  deviations  from  normal  operation  for  the  control  system.  Coverage  is  the 
property  of  a  system  which  defines  its  ability  to  tolerate  failures  of  a  specified  subset  or 
percentage  of  its  components  (i.e.  the  degree  of  its  fault  tolerance).  The  mid-value 
selection  algorithm  of  the  TMR  concept  allows  coverage  of  only  the  first  failure  and  the 
NMR  concept  allows  coverage  of  the  first  (N-l)/2  failures  where  N  is  any  integer. 
However,  the  improvement  in  structure  reliability  with  each  level  of  redundancy  assumes 
that:  1)  a  fault  to  any  single  controller  has  no  effect  on  the  normal  operation  of  the  total 
control  system,  and  2)  the  total  control  system  fails  only  upon  the  failure  of  all  controllers. 
This  is  only  possible  with  perfect  fault  detection  and  isolation  (FDI)  and  subsequent 
reconfiguration  of  the  control  system  to  maintain  normal  operations  without  loss  in 
performance  (i.e.  complete  fault  coverage).  In  the  following  chapters,  we  shall  investigate 
the  fault  coverage  and  reduced  system  entropy  achieved  by  FDI  schemes  for  dual  and  triple 
redundant  control  structures. 


49 


Chapter  4:  Fault  Detection  and  Isolation  (FDI) 


In  contrast  with  current  fault-tolerant  control  schemes,  the  dual-difference 
redundant  stracture  (DDRS)  and  triple  redundant  structure  (TRS)  provide  real-time  failure 
detection  and  error  accountability  for  sensor  systems  in  an  untended  manufacturing 
environment  without  the  use  of  a  process  model.  Instead  of  modelling  the  process,  an 
analysis  of  the  control  structure  provides  a  minimized  Gaussian  error  distribution  (Chapter 
2)  and  a  maximized  exponential  reliability  distribution  (Chapter  3).  These  models  provide  a 
complete  concept  of  all  a  priori  knowledge  of  the  control  structure.  Entropy  provides  a 
measure  of  this  a  priori  knowledge  or,  more  appropriately,  lack  of  knowledge  (i.e. 
ignorance/uncertainty)  in  terms  of  the  a  priori  probability  distributions  (Chapter  5). 

Thus,  the  DDRS  and  TRS  are  one  step  beyond  passive  redundancy  schemes  (e.g. 
TMR  or  NMR)  towards  complete  fault  coverage  in  that  fault  occurrences  are  detected  and 
not  merely  screened.  Also,  these  control  structures  provide  fault-tolerant  control  (i.e.  fault 
detection,  isolation,  and  reconfiguration)  to  the  extent  of  their  capabilities.  The  dual¬ 
difference  redundant  structure  provides  quick  and  efficient  front-end  fault  detection  with  a 
simple  difference  test,  yet  fault  isolation  is  only  possible  to  the  extent  which  the  simplex 
fault  detection  schemes  provide  fault  coverage.  The  triple  redundant  structure,  however, 
provides  both  efficient  fault  detection  and  isolation  with  a  more  complex  FDI  scheme. 
Upon  fault  detection,  the  TRS  is  reconfigured  to  the  DDRS  with  the  two  remaining  valid 
controllers.  In  this  manner,  fault-tolerant  control  is  achieved. 
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Many  current  FDI  techniques  rely  on  a  systems  approach  to  dictate  the  proper 
operating  conditions  for  a  controller.  The  emphasis  of  a  systems  approach  is  upon 
understanding  the  process  (not  the  control  structure)  so  that  its  progress  can  be  controlled 
and  faults  contained.  There  are  several  problems  with  this  approach: 


1.  Fault  detection  for  the  control  structure  is  achieved  in  a  secondary  fashion.  Generally, 
these  efforts  involve  using  a  process  model  (numeric  or  symbolic)  to  estimate  the  process 
outputs  (y)  for  given  inputs  (u),  and  these  are  compared  with  the  input  sensor  readings  of 
the  controller.  Any  major  discrepancy  indicates  the  occurrence  of  a  fault.  Attention  must 
be  focussed  upon  the  control  structure,  not  swept  along  with  process  modelling,  for  its 
proper  fault  monitoring. 

2.  These  models  usually  cannot  represent  the  process  completely  and  there  is  some 
considerable  error  associated  with  their  estimates.  It  is  the  assumption  of  this  paper  that 
our  expert  model  of  the  control  structure  allows  greater  confidence  than  any  results 
achiev^  with  a  process  model  due  to  a  smaller  variance. 

3.  There  is  no  generic  model  which  represents  every  process  effectively.  It  is  the  goal  of 
this  paper  to  model  a  generic  control  structure  (in  broad  terms,  admittedly)  such  that  it  may 
be  applied  to  any  controller  equally  and  effectively. 

4.  The  ancient  argument  of  empirical  vs.  theoretical  belief.  In  this  instance,  it  seems 
inmitively  better  to  know  with  certainty  what  the  process  is  doing  rather  than  what  it  should 
be  doing. 


This  is  not  to  imply  that  the  extensive  work  being  done  with  analytical  redundancy 
is  not  meaningful.  On  the  contrary,  we  shall  find  that  more  efficient  fault  detection  and 
isolation  is  possible  with  additional  sources  of  information  or  voters.  Of  course,  with  this 
additional  knowledge  comes  greater  complexity.  With  analytical  redundancy,  confidence 
may  shift  to  the  system  level  in  order  to  diagnose  each  controller's  performance.  Hence, 
local  observation  and  process  modelling  can  complement  each  other  in  order  to  ensure 
continuous  and  efficient  system  knowledge.  Alternatively,  an  analytical  model  of  the 
process  can  be  used  as  a  failsafe  in  the  case  of  complete  hardware  failure.  In  this  chapter, 
we  shall  confine  our  attention  to  the  analysis  of  FDI  schemes  based  upon  physical 
hardware  redundancy. 


51 


4. 1 .  Off-line  Maintenance 


Important  to  the  reliable  performance  of  systems  over  long  periods  of  operation  is 
the  use  of  scheduled  maintenance.  By  use  of  partial  disassembly,  visual  inspection,  and  a 
number  of  specialized  inspection/testing  procedures  and  equipments,  deterioration  of 
components  can  be  discovered  and  the  components  replaced  before  they  fail  to  perform  in 
an  adequate  manner.  Some  stress  testing  may  be  included  in  maintenance  procedures  to 
identify  components  which  are  weak  in  some  respect  and  are  more  likely  to  suffer  an  early 
failure.  It  is  clear  that  frequent  and  careful  scheduled  maintenance  is  highly  beneficial  and 
yet  is  also  costly  both  in  terms  of  the  personnel  and  facilities  required  to  perform  the 
maintenance  and  in  terms  of  the  additional  systems  required  to  continue  service  while 
others  are  out  for  maintenance.  In  addition,  periodic  testing  cannot  detect  any  transient 
faults  or  spurious  noise  sources  unless  they  occur  during  the  test.  Therefore,  some  form  of 
on-line  or  insitu  FDI  schemes  are  required.  It  is  assumed  that  inspection  of  the  redundant 
controllers  is  performed  prior  to  any  mission  (see  Section  3.2.2). 


4.2.  Simplex  Fault  Detection  and  Isolation 

Self-tests  of  single  or  simplex  structures  can  be  implemented  by  adding  additional 
hardware  to  the  control  structure  or  by  incorporating  reasonability  tests  in  the  computer 
software  which  monitors  the  strucmre’s  status.  These  self-tests  are  usually  designed  to 
detect  those  failure  modes  or  their  respective  signatures  which  have  been  identified  by 
conducting  a  failure  modes  and  effects  analysis  of  the  control  structure  design.  Although  a 
self-test  may  quickly  and  efficiently  detect  the  failure  mode  for  which  it  has  been  designed, 
the  inability  to  predict  a  priori  all  of  the  failure  modes  of  the  control  structure  tends  to  limit 
the  coverage  which  the  self-test  provides. 
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Built-in  Test  Equipment  (BITE)  refers  to  special  monitoring  hardware  or  other 
means  of  directly  indicating  the  operating  condition  of  the  control  structure  or  one  of  its 
components  or  subsystems.  For  example.  Analog  Devices  4B  Alarm  Limit  Subsystem  is 
an  off-the-shelf  BITE  which  provides  adjustable  alarm  limit  modules  with  independent  HI 
and  LO  relay  outputs  in  order  to  monitor  up  to  twelve  control  signals.  A  watchdog  monitor 
(WDM)  can  be  implemented  in  hardware  or  software  which  requires  a  specific  action  or 
sequence  of  actions  to  occur  continually  within  a  specified  time  period.  Some  sensor 
inputs  that  have  two-winding  inputs  (e.g.  resolvers,  LVDTs,  RVDTs)  have  known 
arithmetic  relationships  between  the  two  inputs  and  can  therefore  be  checked  in  this 
manner.  Output  integrity  can  be  accomplished  by  wrapping  the  output  signals,  often  in  the 
form  of  a  current,  back  to  the  control  system  for  verification.  However,  the  very  nature  of 
continuous  test  equipment  contradicts  itself  in  that  the  BITE  itself  is  subject  to  faults  as 
well. 


Reasonability  tests  are  the  first  line  of  testing  done  by  the  control  structure  to  ensure 
the  validity  of  the  control  structure.  Limit  testing  of  the  controller  variable  and  its  rate  will 
detect  for  extreme  bias  and  noise  conditions,  respectfully,  which  comprise  the  majority  of 
spontaneous  faults.  For  example,  if  power  to  the  signal  acquisition  and  conditioning 
subsystems  goes  down  or  the  signal  line  is  cut  or  opened,  then  the  input  computer  readings 
will  take  a  giant  step  to  some  incoherent  value  (typically  zero).  In  addition,  the  physical 
characteristics  of  the  hardware  (e.g.  thermocouple)  or  the  parameter  may  dictate  an  absolute 
minimum  and/or  maximum  for  the  control  signal.  Thus,  the  range  check  may  also  guard 
against  shorts  to  other  voltage  sources  or  across  the  control  structures  if  the  sudden  bias  is 
large  enough  to  exceed  the  range.  The  rate  check  compares  the  discrete  rate  of  change  from 
sample  to  sample  versus  the  maximum  for  that  parameter.  Thus,  the  rate  check  may  be  able 
to  detect  a  short  to  a  noisy  source  or  the  occurrence  of  a  transient  spike  disturbance. 
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Additional  reasonability  tests  can  be  constructed  to  account  for  other  directly  observable 
fault  characteristics  of  the  simplex  control  structure. 

The  implementation  of  a  self-test  introduces  the  risk  of  making  two  types  of 
decision  errors  in  assessing  the  performance  of  the  control  structures  (Figure  4.1).  One 
might  erroneously  decide  that  an  unfailed  structure  has  failed  and  this  decision  error  is 
referred  to  as  a  false  alarm  (FA)  or  a  Type  I  error.  Alternatively,  one  might  erroneously 
decide  that  a  failed  structure  has  not  failed  and  this  decision  error  is  referred  to  as  a  missed 
detection  (MD)  or  a  Type  n  error.  Either  decision  error  can  arise  from  failures  of  the  BITE 
hardware.  Missed  detection  is  a  common  decision  error  for  reasonability  tests  when  the 
magnitude  of  the  fault  is  not  large  enough  to  exceed  the  specified  intervals.  These  decision 
errors  can  have  a  significant  impact  on  the  reliability  and  performance  of  the  control 
structure. 


HYPOTHESIS 


Figure  4.1  Two  Possible  Types  of  Decision  Errors  for  a  Binary  Event  Set 
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4,3.  Duplex  Fault  Detection  and  Isolation 


The  dual-difference  redundant  structure  (DDRS)  is  the  logical  implementation  of 
our  efforts  to  model  the  controller  error  sources  (Chapter  2).  By  placing  identical  control 
stractures  side-by-side,  we  can  validate  their  dual  performance  by  comparison  of  the  two 
structures.  For  a  given  common  input  at  the  sensors,  what  is  the  deviation  between  the 
identical  structures?  Notice  that  no  knowledge  of  the  input  is  needed,  save  that  it  is  the 
same  for  both  structures.  The  difference  test  will  usually  provide  better  coverage  for 
structure  faults  than  is  provided  by  simplex  testing  because  its  effectiveness  is  not  limited 
by  an  inability  to  predict  a  priori  all  of  the  possible  failure  modes.  Its  effectiveness  is 
strictly  limited  by  the  uncertainties  in  the  measurements  (i.e.  the  error)  and  in  the  control 
structures  (i.e.  reliability).  Ideally,  controller  deviation  would  be  zero  for  all  time.  From 
our  expert  model  of  stmcture  error,  we  know  that  this  is  not  the  case. 

Structure  error  is  represented  by  a  stationary  Gaussian  pdf  with  minimal  mean  and 
variance  (Equation  2.1).  A  2-dimensional  error  vector  £  (Figure  4.2)  can  be  defined  which 
takes  a  random  walk  within  the  space  defined  by  the  error  of  controller  1  (Ei)  and  the  error 
of  controller  2  (£2).  This  space  can  be  delimited  by  a  box  or  window  of  width  T.  This 
threshold  T  can  be  optimally  determined  from  a  cost  analysis  of  all  possible  event  and 
hypothesis  pairings  for  the  dual  structure  (Bayes  Criterion,  Section  4.3.2).  Alternatively, 
this  "Window  of  Valid  Performance"  can  be  defined  such  that  it  confines  the  dual  structure 
error  vector  for  most  samples  during  normal  operating  conditions  (Neyman-Pearson 
Criterion,  Section  4.3.3).  For  example,  a  threshold  set  at  the  three  sigma  limit  confines  a 
Gaussian  variable  for  99.7%  of  all  samples  under  normal  conditions.  In  either  case, 
traversal  of  the  error  vector  beyond  this  boundary  implies  the  occurrence  of  a  single  or  dual 
structure  fault  (where  fi,  f2  =  magnitude  of  a  fault  in  structure  1  and  2,  respectively).  A 
single  structure  fault  involves  the  addition  of  a  1-dimensional  error  vector  (horizontal  or 
vertical),  while  a  dual  fault  is  2-dimensional. 
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One  problem,  however,  with  any  given  setting  of  the  window's  size  is  that  there  is 
always  the  probability  that  this  traversal  is  merely  a  valid  magnitude  of  the  modelled  error 
vector.  The  probability  of  false  alarm  (Pfa)  is  this  conditional  probability  of  improper  fault 
detection  given  that  no  such  fault  has  occurred.  The  Neyman-Pearson  criterion  for 
determining  the  threshold  T  is  based  on  maintaining  a  specific  bound  on  Pfa-  This  draws 
our  attention  to  the  second  problem  in  determining  the  decision  threshold;  the  possibility  of 
a  missed  detection  (Pmd)>  where  the  window  may  be  set  too  big  relative  to  the  fault 
vector's  magnitude.  Thus,  there  exists  an  inherent  give-and-take  for  this  scenario  between 
false  alarms  and  missed  detections. 
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The  key  to  the  DDRS  is  the  parallel,  redundant  nature  of  the  control  path  which 
allows  increased  confidence  in  the  dual  controllers  due  to  their  continual  status  cross¬ 
checking.  Thus,  any  error  sources  common  to  both  parallel  paths  in  the  DDRS  such  as 
process  disturbances,  load  changes,  improper  sensor  or  actuator  location,  nonredundant 
modules  in  the  control  path,  etc.  cannot  be  considered  in  oiu*  DDRS  fault  analysis. 
Deviations  of  the  measured  parameter  from  expected  values  due  to  these  error  sources  will 
be  transparent  to  the  difference  test  and  must  be  detected  with  process  knowledge  by  the 
host  computer  (the  next  level  of  diagnostics).  Full  redundancy,  therefore,  is  preferred  over 
partial  or  modular  redundancy.  Parallel  operation  is  not  always  feasible,  though,  for  all 
modules  in  the  control  path,  such  as:  averaging  two  actuators  to  drive  the  process,  space 
limitations  in  locating  the  two  sensors,  the  expense  of  two  redundant  computers,  etc. 


4.3.1.  Dual-Difference  Validation  Test 

The  combination  of  dual  redundant  control  structures  and  an  expert  model  of  the 
structure  error  allows  for  a  quick,  efficient  method  of  validating  dual  controller 
performance.  Limit  testing  of  the  controller  variables  and  their  rates  will  detect  for  extreme 
bias  and  noise  conditions,  respectfully,  which  normally  comprise  the  most  costly  of 
spontaneous  dual  and  single  channel  faults.  This  definition  of  full  scale  magnitude  (FS) 
corresponds  to  an  additional,  outermost  square  (Figure  4.3)  in  the  dual  structure  error 
space  which  confines  the  error  vector  for  all  time.  In  addition  to  limit  testing,  a  direct 
comparison  (or  difference  test)  of  two  controller  variables  (e.g.  outputs  ui  and  U2)  can 
validate  DDRS  operation  with  respect  to  the  a  priori  error  p(E)  and  reliability  Rs(t) 
distributions  for  the  structures  and  a  worst-case  fault  magnitude  fmin  based  on  the  current 
application.  This  comparison  can  be  performed  at  any  point  in  the  parallel  path  of  identical 
structures,  but  can  only  validate  the  DDRS  up  to  and  not  beyond  that  point.  The  residual  r 
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is  considered  a  sufficient  statistic  for  this  comparison  because  it  removes  the  controller 
variable  (u)  and  error  mean  (|Xe),  which  are  common  to  both  signals,  from  the  test.  The 
dual-difference  validation  test  is  represented  in  Figure  4.3  by  the  area  confined  between 
two  parallel  lines  (given  in  slope-intercept  form:  £2  =  £1  +  T  and  £2  =  £1  -  T ): 

Difference  Test  for  Validation  of  the  Dual-Difference  Control  Structure 
under  normal  operating  conditions  (i.e.  f ^  =  f^  =  0) 

I  Uj  -  U2  I  =  I  U  +  +  fj  -  U  -  £2  “  f2  I  =  I  "  ^2  I  ^  T 

Hence,  +  T  >  £2  ^  6^  ■  T 

The  Window  of  Valid  Performance,  however,  is  still  a  subspace  of  the  space  confined  by 
the  difference  test.  Figure  4.4  depicts  the  convergence  of  different  validation  schemes  and 
their  associated  test  spaces  towards  the  desired  limits  set  by  our  expert  model.  The  Dual- 
Difference  test  space  is  shown  to  be  smaller  than  that  achieved  through  traditional  majority¬ 
voting  schemes  because  minimal  error  variance  is  assumed  for  the  expert  model. 

The  drawback  of  the  difference  test  is  that  our  detection  scheme  is  also  insensitive 
to  a  common  bias  fault:  a  dual  fault  where  a  fault  of  equal  amplitude  occurs  on  both 
controllers.  The  difference  test  attempts  to  define  acceptable  behavior  of  the  error  vector  in 
the  dual  structure  error  space  with  the  one-dimensional  pdf  of  the  residual  r  (Equation  3.2). 
The  long  strip  cutting  diagonally  across  the  length  of  the  error  space  represents  the  possible 
missed  detection  of  a  common  bias  fault.  If  a  uniform,  equivalent  fault  distribution  is 
assumed  for  both  controllers  (the  faults  have  an  equal  chance  of  achieving  any  magnitude 
up  to  full  scale  and,  therefore,  a  fault  vector  has  an  equal  chance  of  reaching  any  point  in 
the  error  space),  then  the  probability  of  the  occurrence  of  a  common  bias  fault  can  be  based 
on  the  ratio  of  the  area  of  this  strip  (Adt)  to  the  area  confined  by  limit  testing  (4  FS^).  For 
small  threshold  T,  this  ratio  is  approximated  by  TA^S. 
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Dashed  lines  represent  Limit  Testing 

Figure  4.3  Dual-Difference  Validation  Space 


Figure  4.4  Convergence  of  Validation  Schemes 
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4.3.2.  Detection  Scheme  Optimization  with  Bayes  Criterion 


Our  fault  detection  scheme  is  analyzed  as  a  classical,  M-ary  hypothesis  test  (M=3) 
with  a  fixed,  singular  data  sample.  [Van  Trees]  With  each  sample,  it  is  assumed  that  a 
decision  from  M  possible  decisions  must  be  made  as  to  which  event  of  M  possible  events 
has  occurred.  Thus,  there  are  M  possible  alternatives  or  event-hypothesis  pairings  each 
time  a  decision  must  be  made.  The  three  events  Eq,  Ei,  and  E2  in  our  fault  detection 
scheme  are  that  no  fault,  a  single  fault,  or  a  common  bias  fault  has  occurred,  respectively. 
Our  decision  will  be  facilitated  by  a  unique  physical  manifestation  associated  with  each 
event  (i.e.  the  magnitude  with  which  each  event  affects  the  measurable  residual  r).  Dual 
faults  other  than  common  bias  faults  are  assumed  to  be  indistinguishable  from  single 
structure  faults  with  respect  to  the  difference  test  and  are,  therefore,  included  in  event  Ei- 
This  fact  has  important  ramifications  in  our  attempt  to  isolate  a  fault  to  the  structure  in 
which  the  fault  occurred.  Event  Ei  is  represented  as  an  additive  error  of  magnitude  f  =  fi  - 
f2  (Figure  4.2)  which  causes  a  bias  shift  in  the  pdf  of  the  residual  r.  This  analysis  is 
concerned  with  the  worst-case  magnitude  of  f  (fmin)  which  is  the  smallest  fault  (and,  thus, 
the  hardest  to  detect)  of  accountable  cost  for  the  current  application.  A  major  concern  is 
that  event  E2  (a  common  bias  fault)  has  no  effect  on  the  residual  r  and  cannot  be 
distinguished  from  normal  operating  conditions. 


P„  =  p(E„)  =  R^(t);  Pj  =  Q^(t) 
p(rlEQ)  =  p(rlE2) 

P(rlEi)  =  P(r  - 


^DT  _  r^2,Ar4TFS-TS■ 


FS 


4FS 


=  p(r)  =  exp(-^) 

(5/^  2c57 


2c? 


Equations  4.1  -  4.3 


Equation  4.4 

) 

Equation  4.5 
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Our  fault  detection  scheme  is  optimized  by  using  a  generalized  likelihood  ratio  test 
(GLRT)  which  is  based  on  a  degenerated  Bayes  criterion.  [Van  Trees]  The  Bayes  criterion 
assumes  the  a  priori  determination  of  the  event  probabilities  Pq,  Pi,  and  P2  (presented 
above);  the  conditional  probabilities  Pqo,  Poi>  1*02,  PlO,  Pll>  P12  for  each  decision 
given  the  occurrence  of  each  event  (presented  below);  and  the  costs  Coo,  Coi,  C02,  Cio, 

Cii,  and  C12  associated  with  each  possible  event-hypothesis  pairing.  For  this  exercise,  the 
Bayes  criterion  is  degenerated  such  that  only  two  hypotheses  are  of  importance  (Ho  =  valid 
performance,  Hi  =  fault  detected)  and  only  six  alternate  pairings  are  possible. 

T 

Poo  =  pW  =  P02  =  Pf^olEj)  =  JpW*  =  erf(^)  =  ert(X) 

-  T  00 

PpA  =  Pio  =  P12  =  jp(r)dr  +  jp(r)dr  =  1  -  P^^ 

.00  'p 

p..  = 

-  T  00 

Pll  =  jp(''-W*  +  Jp<''-fmm>*  =  I’Pol 

-  00  'J’ 

Equations  4.6  -  4.9 

li  +  T  ^+T  ^  t/oTI 

where  fGaussian(p,a)  9x  =  —  f  exp(-  9x  =  -^  f  exp(-y^)  3y  =  erf(-^) 

^  V«J  oTl 

An  average  cost  function  or  risk  (!R.)  is  determined  for  our  fault  detection  scheme: 

1  2 

91  =  y  y  P.P..  c. 

La  La  j  u  u 

i=0 j=0 

~  ^0^10  ^1^11  ^2^12  ^2^02^^02  ■  ^12^  '  ^O^OO^^IO  '  ^00^ 

Equation  4.10 
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The  first  three  terms  represent  the  fixed  cost  of  our  decision  and  the  remaining 
terms  may  be  minimized  with  the  following  relation  or  likelihood  ratio  test  (LRT): 

say 

^2^02^^02  '  ^12^  <  ^O^OO^^lO  '  ^00^ 

sayH(, 


P„,  Po'C.o-V  -  P/CoiiS^)  _ 


00 


sayH„ 


Pi(Coi  - 


=  r[ 


Equation  4.11 

The  quantity  on  the  left  in  the  above  decision  rule  is  called  the  likelihood  ratio, 
denoted  by  A(r),  and  is  determined  directly  from  the  conditional  pdfs  defined  above: 

f". 


=  exp 

Poo  PW 


( 


rxf  . 

mm 


mm 

2a? 


) 


Equation  4.12 

The  likelihood  ratio  test  for  our  detection  scheme  compares  the  absolute  value  of  the 
residual  to  the  threshold  T  and  is  thus  generalized  in  order  to  account  for  a  fault  in  either 
controller  (i.e.  any  fault  f  =  I  fi  -  f2l  -  fmin)*  The  threshold  T  can  be  directly  determined 
from  the  above  decision  rule  using  the  derived  form  for  the  likelihood  ratio  A(r).  The  final 
form  for  the  difference  test  results  upon  slight  rearrangement  of  the  decision  rule: 


Irl 


say  H 
>  ^ 

sayH^j 


T  = 


f  • 

F^logll  + 


“““  Equation  4.13 

A  special  cost  assignment  that  is  frequently  encountered  in  practice  (e.g.  the  cost 
values  cannot  be  determined  directly)  is  one  where  correct  decisions  incur  no  penalty  (Cqo 
=  Cii  =  Ci2  =  0)  and  incorrect  decisions  incur  the  same  penalty  (Cio  =  Cqi  =  Co2  = 
1).  With  this  cost  assignment,  risk  is  equivalent  to  the  probability  of  decision  error  and  a 
simpler  definition  for  T|  is  achieved; 


SR  —  Pc —  —  Pq^io  ^1^01  ^2^02  ^ 


P  -P 
^0  2 


Error 


Equations  4.14  and  4.15 
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Figures  4.5  -  4.13  provide  a  perspective  on  the  efficiency  of  the  dual-difference 
detection  scheme  based  on  the  Bayes  criterion  with  this  special  cost  assignment.  The 
example  error  function  (a  =  0.3276%FS,  Figure  2.4)  and  the  example  reliability 
distribution  (MTBF  =  293  days.  Figure  3.7)  for  a  typical  control  structure  are  used.  The 
conditional  probability  density  function  of  the  residual  or  test  function  r  under  both  of  the 
primary  hypotheses  Eq  and  Ei  is  exemplified  in  Figure  4.5.  This  figure  provides  a 
perspective  on  the  nature  of  the  two  types  of  decision  error  and  the  extent  of  their 
probabilities  PpA  and  Pmd-  Note  the  dramatic  dependence  upon  the  threshold  T. 
Figures  4.6  -  4. 1 1  represent  all  variables  of  interest  within  the  dual-difference  detection 
scheme  for  a  fault  amplitude  fmin  =  5ar  =  2.3165%FS.  Note  that  the  probability  of  a 
dual  fault  p(E2),  false  alarm  PpA.  missed  detection  Pmd.  and  decision  error  PError  are  very 
small;  while  the  probability  of  fault  detection  Pd  is  almost  completely  certain,  regardless  of 
when  a  fault  should  occur.  The  threshold  T  is  originally  made  quite  large  while  the 
probability  of  normal  operation  is  high  and  subsequently  is  pulled  closer  towards  the  origin 
as  the  probability  of  a  structure  fault  increases.  Thus,  the  threshold  is  varied  according  to 
the  prior  event  probabilities  of  the  control  structure.  Figures  4.12  and  4.13  depict  the  effect 
upon  the  threshold  T  and  the  resulting  probability  of  decision  error  for  the  fault  detection 
scheme  as  the  ratio  of  the  fault  signal  fmin  to  the  noise  deviation  Or  is  increased  from  one- 
half  to  five.  Worst-case  corresponds  to  a  fault  magnitude  and  ratio  of  zero  (i.e.  where  a 
fault  cannot  be  distinguished  with  the  residual)  and  the  probability  of  error  is  50%  at  all 
times  due  to  the  blind  guess  of  either  event  Eq  or  Ei.  There  is  a  definite  reduction  in  this 
probability  of  decision  error  with  increasing  fault  signal-to-noise  ratio  (SNR).  Therefore, 
this  analysis  is  limited  to  the  smallest  fault  magnitude  fmin  of  importance  or  cost. 
In  addition,  this  relationship  highlights  the  importance  of  minimization  of  the  residual  noise 
(cjj.  =  aV2)  and  therefore  the  error  deviation  (c),  as  detailed  in  the  error  budget  techniques 
of  Chapter  2,  in  order  to  maximize  the  SNR  ratio. 
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Figure  4.5  Decision  Errors  for  a  Binary  Hypothesis  Set 


Figure  4.10 


0.012  =  1.2% 


Probabilities  of  Detection  Error 


Figure  4.11 


Threshold  for  Increasing  SNR 


Time  (Days) 


Figure  4.12 


4.3.3.  Detection  Scheme  Optimization  with  Neyman-Pearson  Criterion 

Clearly,  the  objective  of  any  binary  hypothesis  testing  decision  algorithm  is  to 
achieve  very  low  error  probabilities  or,  equivalently,  to  simultaneously  attain  high  fault 
detection  Pd  and  low  amount  of  false  alarms  PpA-  Unfortunately,  these  goals  are  in  direct 
conflict  with  each  other  in  all  problems  of  interest.  This  problem  was  not  evident  within 
the  example  of  Figures  4.5  -  4.11  due  to  the  large  SNR  but,  in  cases  dealing  with  smaller 
SNR,  this  problem  shall  become  evident.  An  explicit  means  of  summarizing  the  tradeoff 
between  fault  detection  and  false  alarms  is  provided  by  the  receiver  operating  characteristics 
(ROC)  plot.  The  ROC  plot  is  merely  a  graph  of  Pd  vs.  Pfa  and  Figure  4.14  represents  the 
Gaussian  case  analyzed  previously.  The  points  Pfa  =  Pd  =  1  and  Pfa  =  Pd  =  0  are 
always  on  the  ROC  plot  because  they  correspond  to  the  respective  strategies  of  always 
deciding  that  a  fault  has  occurred  (event  Ei)  or  that  the  control  structure  is  operative  (event 
Eo).  The  ROC  for  any  possible  test  always  lies  above  the  dotted  line  which  represents  the 
worst-case  scenario  of  equal  priors  (p(Eo)  =  p(Ei))  and  a  strategy  of  pure  guessing  without 
regard  to  the  observations  (i.e.  the  residual).  The  monotonicity  of  the  ROC  plot  reflects  the 
fact  that  fault  detection  cannot  be  increased  without  a  subsequent  increase  in  false  alarms 
for  a  given  fault  SNR.  An  obvious  criterion  is  to  constrain  one  of  these  conditional 
probabilities  while  maximizing  (or  minimizing)  the  other.  As  opposed  to  the  Bayes 
criterion,  the  Neyman-Pearson  criterion  recognizes  this  basic  asymmetry  in  the  importance 
of  these  two  hypotheses.  [Poor,  Van  Trees] 
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Probability  of  Fault  Detection  (]^) 
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Probability  of  False  Alarm 


Figure  4.14  Receiver  Operating  Characteristics  (ROC)  Plot 


The  classical  Neyman-Pearson  criterion  of  radar  detection  theory  constrains  the 
conditional  probability  of  false  alarms  PpA  to  remain  less  than  some  arbitrarily  small  value 
a,  known  as  the  level  or  significance  level  of  the  test,  and  then  maximizes  the  conditional 
probability  of  fault  detection  Pd  to  some  value  (1-p),  known  as  the  power  of  the  test.  This 
generally  assumes  that  Ti,  known  as  the  threshold  of  the  test,  is  greater  than  unity.  For 
example,  the  cost  of  false  alarms  Cio  could  greatly  exceed  the  cost  of  missed  detections 
0)1  or  the  a  priori  probability  of  a  fault  Pq  =  p(Eo)  might  be  substantially  smaller  than  that 
of  normal  operation  Pi  =  p(Ei).  Since  the  probability  of  fault  detection  monotonically 
increases  with  the  probability  of  false  alarms  (Figure  4.14),  maximization  of  Pd 
corresponds  with  a  PpA  set  at  its  upper  bound  of  a. 

-T 

^FA  =  ^10  =  +  JpWdr  =  “ 


T  =  2a  erf'll  -  a)  where  erf’\x)  is  the  inverse  function  of  erf(x) 

Pi,  =  P„  =  l-ierf(erf'(l-o)-^)-|-eif(-erf'(l-a)-^)  =  1  -  P 

Equations  4.16-4.18 


The  threshold  T  is  held  constant  by  the  Neyman-Pearson  criterion  and  it  is  completely 
defined  by  Equation  4.17  upon  choosing  the  level  of  the  test  (a).  Likewise,  the  power  of 
the  test  is  held  constant  and  is  defined  by  Equation  4.18,  known  as  the  power  function  of 
the  test.  The  power  of  the  test  (fault  detection)  is  a  monotonic  function  of  the  level  of  the 
test  (false  alarms)  and  a  change  in  one  implies  our  willingness  to  accept  a  similar  change  in 
the  other.  Note  that  decision  costs  are  not  evaluated  and  the  prior  event  probabilities  are  not 
incorporated  within  the  Neyman-Pearson  criterion  and,  thus,  this  information  is  forfeited 


for  a  simpler  approach  to  the  fault  detection  scheme. 
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Figures  4.15  -  4.17  provide  a  perspective  on  the  efficiency  of  the  dual-difference 
detection  scheme  based  on  the  Neyman-Pearson  criterion.  The  example  error  function 
(a  =  0.3276%FS,  Figure  2.4)  and  the  example  reliability  distribution  (MTBF  =  293  days, 
Figure  3.7)  for  a  typical  control  structure  are  used.  Figures  4.15  -  4.16  represent  all 
variables  of  interest  within  the  dual-difference  detection  scheme  for  a  fault  amplitude  fmin 
=  5ar  =  2.3165%FS  with  the  threshold  set  at  a  constant  three  sigma  interval  (T  =  3Gr). 
Therefore,  the  level  of  the  test  (probability  of  false  alarms,  Pfa)  is  0.27%  and  the  power 
of  the  test  (probability  of  fault  detection,  Pd)  is  97.72%.  Note  that  the  probability  of 
decision  error  PEiror  is  very  small,  while  the  probability  of  fault  detection  Pd  is  very  certain 
regardless  of  when  a  fault  should  occur.  In  comparison  with  the  performance  of  the  fault 
detection  scheme  based  on  the  Bayes  criterion  at  a  SNR  of  five,  the  Neyman-Pearson 
criterion  allows  for  a  similar  level  of  decision  error  with  a  reduction  in  the  design 
complexity.  However,  an  increase  is  found  to  occur  in  the  probability  of  missed  detection 
of  a  dual  fault  (event  E2).  Figure  4. 17  depicts  the  resulting  probability  of  decision  error 
for  the  fault  detection  scheme  as  the  ratio  of  the  fault  signal  fmin  to  the  noise  deviation  Gr  is 
increased  from  one-half  to  five.  Analysis  of  Figure  4.17  indicates  that  a  large  fault  signal- 
to-noise  ratio  is  required  to  even  warrant  using  the  Neyman-Pearson  criterion  for  the  fault 
detection  scheme.  For  small  SNR  ratios,  the  3g  setting  for  the  threshold  hides  the  fault 
distribution  from  the  test  (corresponding  to  always  deciding  event  Eq)  and  the  probability 
of  error  approaches  100%  as  the  reliability  approaches  zero  at  long  mission  times.  Worst- 
case  for  the  Bayes  criterion  corresponds  to  an  SNR  of  zero  (i.e.  where  a  fault  cannot  be 
distinguished  with  the  residual)  and  the  probability  of  error  is  50%  at  all  times  due  to  the 
blind  guess  of  either  event  Eq  or  Ei.  Note  that  all  curves  in  Figure  4.17  exhibit  the 
exponential  rise  associated  with  the  unreliability  because  the  threshold  is  not  adjusted  (as  it 
is  with  the  Bayes  criterion)  to  account  for  changes  in  the  prior  distributions.  Also,  there  is 
a  definite  reduction  in  this  probability  of  decision  error  with  increasing  fault  signal-to-noise 
ratio  (SNR). 
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4.3.4.  Duplex  Fault  Isolation  and  Reconfiguration 


Upon  fault  detection  within  the  control  structure,  diagnostic  schemes  must  be 
initiated  to  isolate  the  failed  structure(s),  locate  and  report  the  faulty  module(s),  and 
reconfigure  the  system  in  order  to  provide  continuous  valid  control  for  the  length  of  the 
inission  (Note:  system  shutdown  is  not  considered  possible  in  this  exercise!).  The  dual 
nature  of  the  DDRS  afforded  quick  and  efficient  validation  of  the  controllers  with  the 
difference  test.  However,  no  new  information  may  be  gained  by  further  comparison  of  the 
two  structures  once  a  fault  has  been  detected.  Hence,  subsequent  decisions  must  be  based 
on  further  analysis  of  the  individual  controllers  (simplex  FDI,  Section  4.2).  Otherwise, 
either  controller  may  be  decided  as  valid  with  a  50%  chance  of  correct  isolation  (flip  a  coin) 
given  that  a  single  fault  has  occurred  and  with  complete  error  upon  occurrence  of  a  dual 
fault.  In  this  case,  note  that  the  probability  of  misisolation  by  blind  guess  given  that  a  fault 
has  been  detected  (Equation  4.19)  goes  to  unity  as  time  goes  to  infinity.  Reconfiguration 
consists  of  removing  the  faulty  controller  from  the  output  estimation  scheme  (i.e. 
averaging)  yet  still  including  it  as  a  voter  in  the  FDI  scheme.  The  faulty  controller  is  simply 
returned  to  valid  status  upon  a  successful  difference  test.  This  reconfiguration  scheme 
allows  recovery  from  false  alarms  and  transient  faults  and  maintains  the  independence 
between  successive  difference  tests  of  the  DDRS  over  the  mission.  Alternatively, 
reconfiguration  may  consist  of  ignoring  the  faulty  controller's  output  in  all  future 
operations  (Section  4.5)  with  the  final  possible  state  of  the  system  being  shutdown.  Figure 
4.18  depicts  the  decision  tree  associated  with  our  FDI  scheme  for  two  levels  of  redundancy 
where  correct  decisions  are  denoted  with  a  check  mark.  The  probability  of  each  possible 
system  state  can  be  directly  determined  from  the  decision  tree  (Equations  4.20  -  4.24). 
Figure  4.19  follows  the  total  probability  of  decision  error  for  the  FDI  scheme  over  the 
mission  time  of  our  example  control  structure,  accounting  for  both:  detection  errors  based 
on  the  Bayes  criterion;  and  isolation  errors  by  blind  guess.  Due  to  the  near  optimality  of 
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the  detection  scheme  in  this  example  (i.e.  Poo  =  Pll  =  1).  Pfirror  (Equation  4.25)  is 
approximately  the  probability  of  misisolation  by  blind  guess  (Equation  4.19). 


Pr{Misi9olation  I  Fault  Detected}  =  (1  -  Pr {Isolation  I  fi,f2})  Pr{fi,f2}  + 
(1  -  Pr{Isolation  I  fi})  Pr{fi}  +  (1 -Pr{Isolationl  £2})  Pr{f2} 


Pr{ Misisolation  by  Blind  Guess  I  Fault  Detected}  =  2  (0.5)  Rs(t)  Qs(t)  +  Qs^(t) 

(Equation  4.19) 


Probability  of  Each  Possible  System  State  for  the  DDRS 
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Equations  4.20  -  4.24 


1:  Dual  Structure, Both  Working 
2:  Dual  Stracture,One  Working 
3:  Dual  Structure, None  Working 
4:  Single  Structure,Working 
5:  Single  Stracture,Not  Worlong 
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Error 


Probability  of  System  Error  for  the  DDRS 
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=  Qg  +  Qs  Rg  for  the  optimal  fault  detection  scheme  (Equation  4.25) 
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Figure  4.18  Decision  Tree  for  FDI  Scheme  with  Dual  Redundancy 


Figure  4.19  Probability  of  Decision  Error  for  Optimal  FDI  Scheme 


4.4.  Triplex  Fault  Detection  and  Isolation 


With  triple  modular  redundancy  (TMR),  structure  validation  is  provided  by 
comparison  of  three  identical  control  structures.  TMR  is  actually  the  most  common  form  of 
traditional  majority-voting  schemes.  Its  obvious  advantage  over  dual  redundancy  is  the 
efficient  means  of  isolating  a  single  structure  fault ...  a  direct  extension  of  the  DDRS  to 
allow  for  fault-tolerant  control  of  the  system.  Additionally,  unreliability  and  error  are 
reduced  with  each  level  of  redundancy.  Entropy,  however,  is  increased  with  redundancy. 
Upon  fault  detection  and  isolation,  the  triplex  system  reconfigures  to  the  DDRS  utilizing  the 
two  valid  controllers.  The  benefits  of  a  triplex  system  are  lost  during  a  common  dual  or 
triple  fault  and  perhaps  even  become  a  detriment  if  the  voting  scheme  follows  the  faulty 
controllers.  However,  as  seen  before,  the  probability  of  a  common  fault  is  small.  Finally, 
the  additional  hardware  requires  more  expense  and  working  volume  per  system  variable 
than  might  be  afforded.  Space  limitations  is  one  of  the  major  reasons  current  fault-tolerant 
techniques  have  shifted  their  attention  to  analytical  redundancy  (i.e.  system  models). 

4.4. 1 .  Two-dimensional  Parity  Space 

The  combination  of  a  triple  redundant  control  structure  (TRS)  and  probabilistic 
models  of  the  structure  error  and  reliability  allows  for  an  efficient  method  of:  1)  validation 
of  triple  controller  performance,  2)  isolation  of  a  single  controller  fault,  and  3) 
reconfiguration  to  the  DDRS.  Comparison  tests  of  the  controller  signals  detect  and  isolate 
faults  by  observing  disagreements  in  controller  demands.  A  sufficient  statistic  for  these 
comparison  tests  must  be  defined  which:  1)  is  a  linear  combination  of  controller  signals 
(e.g.  input  sensor  measurements),  and  2)  removes  the  unknown  controller  variable  (u)  and 
error  mean  (}Xe),  common  to  all  signals,  from  the  test.  The  latter  property  allows  the  use  of 
a  comparison  threshold  determined  a  priori  that  is  dependent  upon  the  signal-to-noise  ratio 
(SNR)  of  structure  error  deviation  (a)  and  the  smallest  fault  magnitude  of  accountable  cost 
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(fmin)-  As  seen  in  the  previous  section,  a  simple  difference  between  controller  variables 
can  validate  DDRS  operation.  However,  the  set  of  three  difference  equations  possible  for 
the  TRS  is  linearly  dependent  and  does  not  facilitate  a  probabilistic  analysis  of  the  EDI 
scheme.  For  an  n-dimensional  parameter  space,  only  a  set  of  (n-1)  independent  linear 
comparison  tests  can  be  derived  because  each  comparison  test  must  include  at  least  two 
parameters  to  remove  the  controller  variable.  Hence,  a  two-dimensional  parity  or 
comparison  space  (Figure  4.20)  composed  of  two  parity  equations  (Equations  4.26,  4.27) 
is  suggested  by  Walker  to  facilitate  fault  detection  and  isolation  for  the  TRS.  [Walker] 


2  1  1 

Parity  Vector  p:  p^  =  —  u^-  —  U2“  “prU3 

•/6  76  76 


(Equations  4.26,  4.27) 


Parity  Vector  p: 


P?  +  P2  ’  0  = 


tan‘^(  —  )  (Equations  4.28, 2.29) 
Pi 


Figure  4.20  Two-Dimensional  Parity  Space  for  the  TRS 
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Equations  4.26  and  4.27  define  the  two  orthonormal  residuals  which  comprise  the 
two-dimensional  parity  space  for  the  triple  redundant  control  stmcture.  Orthonormality 
dictates  that:  1)  the  residuals  are  orthogonal  (i.e.  perpendicular)  and  thus  retain  a  zero 
mean,  and  2)  each  residual  is  normalized  to  a  unit  vector  of  unity  magnitude.  Further,  this 
orthonormal  set  of  parity  equations  corresponds  to  a  2x3  linear  transformation  matrix  P 
of  the  controller  signals  comprised  of  the  eigenvectors  of  the  3  x  3  diagonal  correlation 
matrix  A  of  the  parameter  space.  This  transfers  the  uncorrelated  Gaussian  distribution  with 
zero  means  and  equal  variances  of  the  parameter  space  to  the  parity  space  (diagonal 
correlation  matrix  D): 
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Theorem  For  every  n  x  n  real  symmetric  matrix  A  there  exists  an  m  x  n 
(m^)  real  orthogonal  matrix  P  such  that  PAP'l  =  D,  or,  equivalently,  such 
that  PAP”^  =  D,  where  D  is  a  diagonal  matrix.  [Bronson] 

Here, 

D  =  PAP'^  =  Pa^IjP^  =  <^^2  wherein  =  nxn  identity  matrix 

The  resultant  two-dimensional  parity  space  is  depicted  in  Figure  4.20.  The  goal  of  this 
parity  vector  approach  is  to  generate  signals  which  are  insensitive  to  modelling  errors, 
highly  sensitive  to  failures,  and  respond  to  different  failures  in  easily  recognized  ways  to 
facilitate  isolation.  Neglecting  error  terms,  the  fault  signatures  of  the  three  controllers  are 
defined  by  three  distinct  and  equidistant  vectors  (fh  fg,  and  f^^,  respectively)  of  equal 
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magnitude  F  and  their  three  corresponding  inverses  which  split  the  plane  into  six  equal 
pieces.  Our  fault  detection  scheme  takes  advantage  of  this  balanced  or  symmetrical 
property  of  uniform  detectability  by  utilizing  a  circular  threshold  of  radius  Tr  as  a 
comparison  test  against  the  radius  r  of  the  parity  vector.  Our  fault  isolation  scheme  divides 
the  parity  space  into  six  equal  pie  sections  of  60°  each  and  centers  them  about  each  of  the 
three  fault  signatures  and  their  inverses.  Hence,  the  parity  space  is  also  further  transformed 
to  polar  coordinates  of  radius  r  and  angle  0  (Equations  4.28,4.29).  The  definition  of  full 
scale  magnitude  (FS)  corresponds  to  an  additional,  outermost  circle  in  the  parity  space 
which  confines  the  parity  vector  for  all  time.  [Gai,Weber] 

The  drawback  of  this  comparison  test  is  that  our  detection  scheme  is  also  insensitive 
to  certain  combinations  of  concurrent  faults;  specifically,  a  dual  or  triple  fault  where  the 
resultant  fault  vector  (f)  lies  within  the  circular  threshold  Tr  (A  blind  spot,  if  you  will). 
Where  one  fault  alone  might  be  of  significant  magnitude  to  pass  beyond  the  circular 
threshold  and  hence  be  observable  by  the  comparison  test,  the  resultant  fault  vector  in  the 
parity  space  (as  determined  by  Equations  4.26,  4.27)  cancels  this  effect  and  the  faults 
become  hidden  from  the  test.  The  probability  of  a  hidden  dual  fault  or  hidden  triple  fault 
are  determined  below  for  small  threshold  Tr  (Equations  4.30, 4.31).  A  uniform,  equivalent 
fault  distribution  is  assumed  for  all  controllers  (the  faults  have  an  equal  chance  of  achieving 
any  magnitude  up  to  full  scale  and,  therefore,  a  fault  vector  has  an  equal  chance  of  reaching 
any  point  in  the  error  space).  The  probability  of  the  occurrence  of  a  hidden  fault  can  be 
based  on  the  ratio  of  the  area  of  possible  hidden  fault  vectors  (as  depicted  in  Figures  4.21 
and  4.22)  to  the  total  area  of  possible  fault  vectors  in  the  three-dimensional  fault  space. 
Note  the  resemblance  of  the  area  of  possible  dual  hidden  fault  vectors  (Figure  4.21)  to  the 
hidden  space  of  the  difference  test  for  the  DDRS  (Figure  4.3).  The  following  analysis  is 
only  valid  for  small  threshold  Tr  because  it  does  not  account  for  limiting  effects  to  the  area 
of  possible  hidden  fault  vectors  near  the  fuUscale  (FS)  values  of  the  fault  space. 
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Without  Loss  of  Generality  (WOLOG),  assume  fi  =  0. 


Probability  of  a  Hidden  Triple  Fault  in  TRS  (given  that  a  triple  fault  has  occurred') 


Pr(  Hidden  Triple  Fault  I  f,  &  fj  &  ^  Triple  Fault )  =  Pr{  r  =  +  p^  <  T,  I  f,  &  fj  &  fj  ) 


=  Pr(  I  -  fjfj  -  fjf,  -  fjfj  I  £  |t,  ) 


(2tl)(y|T/  ^  7/3  t/ 

(2FS/  16/2  FS’ 


Pr{  Hidden  Triple  Fault  I  TRS  Triple  Fault } 


773  t/ 

16/2  FS^ 


(Equation  4.22) 


Figure  4.22 


Hidden  Triple  Fault  Represented  in  the  Fault  Space 
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4.4.2.  Detection  Scheme  Optimization  with  Bayes  Criterion 


Our  fault  detection  scheme  is  analyzed  as  a  classical,  M-ary  hypothesis  test  (M=4) 
with  a  fixed,  singular  data  sample.  [Van  Trees]  With  each  sample,  it  is  assumed  that  a 
decision  from  M  possible  decisions  must  be  made  as  to  which  event  of  M  possible  events 
has  occurred.  Thus,  there  are  M  possible  alternatives  or  event-hypothesis  pairings  each 
time  a  decision  must  be  made.  The  four  events  Eo,  Ei,  E2,  and  E3  in  our  fault  detection 
scheme  are  that  no  fault,  a  single  fault,  or  a  hidden  fault  of  dual  or  triple  nature  has 
occurred,  respectively.  Our  decision  will  be  facilitated  by  a  unique  physical  manifestation 
associated  with  each  event  (i.e.  the  magnitude  with  which  each  event  affects  the  measurable 
parity  vector  pi)-  Dual  and  triple  faults  other  than  a  hidden  fault  are  assumed  to  be 
indistinguishable  from  single  structure  faults  with  respect  to  the  threshold  test  and  are, 
therefore,  included  in  event  Ei.  This  fact  has  important  ramifications  in  our  attempt  to 
isolate  a  fault  to  the  structure  in  which  the  fault  occurred.  Event  Ei  is  represented  as  an 
additive  fault  vector  of  magnitude  F  (Figure  4.20)  which  causes  the  parity  vector  to  shift 
outside  the  circular  threshold  Tf  This  analysis  is  concerned  with  the  worst-case 
magnitude  of  f  (fmin)  which  is  the  smallest  fault  (and,  thus,  the  hardest  to  detect)  of 
accountable  cost  for  the  current  application.  A  major  concern  is  that  event  E2  and  E3 
(hidden  faults)  have  no  effect  on  the  parity  vector  and  cannot  be  distinguished  from  normal 
operating  conditions. 


^  1  9T 
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o  Fo 


I6/2  FS 


3  ’ 
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Equations  4.23  -  4.26 


Our  fault  detection  scheme  is  optimized  by  using  a  generalized  likelihood  ratio  test 
(GLRT)  which  is  based  on  a  degenerated  Bayes  criterion.  [Van  Trees]  The  Bayes  criterion 
assumes  the  a  priori  determination  of  the  event  probabilities,  the  conditional  probabilities 
for  each  decision  given  the  occurrence  of  each  event,  and  the  costs  associated  with  each 
possible  event-hypothesis  pairing.  For  this  exercise,  the  Bayes  criterion  is  degenerated 
such  that  only  two  hypotheses  are  of  importance  (Hq  =  valid  performance.  Hi  =  fault 
detected)  and  only  eight  alternate  pairings  are  possible. 

An  average  cost  function  or  risk  (R)  is  determined  for  our  fault  detection  scheme 
and  is  minimized  with  the  likelihood  ratio  test  (LRT).  The  special  cost  assignment  where 
correct  decisions  incur  no  penalty  and  incoirect  decisions  incur  the  same  penalty  is  utilized. 
With  this  cost  assignment,  risk  is  equivalent  to  the  probability  of  decision  error.  The 
likelihood  ratio,  denoted  by  A(r),  is  determined  directly  from  the  ratio  of  the  envelope's 
marginal  densities  under  either  event.  The  resultant  test  for  our  detection  scheme  compares 
the  radius  r  to  the  derived  threshold  Tr  and  is  thus  generalized  in  order  to  account  for  a  fault 
in  any  controller. 

The  following  analysis  draws  heavily  upon  the  theory  of  envelope  detection  used 
quite  commonly  in  radio  communications  and  radar.  [Schwartz,  Peebles,  Shanmugam] 
We  shall  first  consider  the  case  of  normal  operating  conditions  where  only  noise  is  present 
(i.e.  Event  0).  Recall  from  Section  4.2.1.  that  the  components  of  the  parity  vector  (pi  and 
P2)  are  Gaussian,  uncorrelated,  and  hence  statistically  independent.  Further,  these 
parameters  were  transformed  to  polar  coordinates  (r  and  0)  and  the  Jacobian  of  this 
transformation  is  readily  found  to  be  the  radius  r  (i.e.  dx  dy  =  r  dr  d0).  The  probability 
distributions  for  these  variables  are  as  follows: 


85 


p(Pi,P2lEo) 
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(Equations  4.27, 4.28) 


To  find  the  marginal  density  functions  for  the  envelope  and  phase  alone,  we  simply  average 
the  joint  density  function  over  all  possible  values  for  the  angle  and  radius,  respectively: 

pCrlEg)  =  jp(r,0IEo)80  =  ^  P^^'^q)  =  J  p(r,e  I  E^)  Br  =  ^ 

(Equations  4.29,  4.30) 

The  marginal  density  of  the  envelope  is  the  Rayleigh  distribution  which  is  limited  to 
positive  values  (shown  in  Figure  4.23  as  F/a  =  0).  The  conditional  probability  of  false 

alarm  (Pio  =  Pfa)  is  easily  found  to  be: 

OO  2 

PpA  =  %  =  jp(^'Eo)^  =  -e^P(-^)]T,  =  1  'Poo 

(Equation  4.31) 


Next,  we  shall  consider  the  case  of  a  fault  condition  where  a  fault  vector  f  of 
magnitude  F  is  present  (i.e.  Event  1).  The  components  of  the  fault  vector  will  be  denoted 
fl  and  f2.  The  probability  distributions  for  the  parity  vector  and  its  transform  are  as 
follows: 
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(Equations  4.32,  4.33) 
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The  conditional  probability  of  missed  fault  detection  (Pqi  =  Pmd)  is  more  difficult  to  solve. 
The  probability  of  missing  any  of  the  fault  signatures  (fj_,  fc,  and  f^)  is  equal  for  all  three 
cases  due  to  the  symmetry  of  the  fault  signatures  and  the  balanced  nature  of  the  Gaussian 
parity  vector.  Also,  the  prior  probabilities  of  any  of  the  three  faults  occurring  are  equal 
(i.e.  1/3).  Hence,  Pmd  is  equal  to  the  probability  of  missing  any  one  of  the  three  fault 
signatures.  We  shall  restrict  the  analysis  to  only  one  of  the  three  possible  fault  signatures: 
specifically,  a  fault  on  controller  one  (fO  where  fi  =  F  and  f2  =  0.  The  marginal  density 
function  for  the  envelope  is  found  by  averaging  the  joint  density  function  over  all  possible 
angles: 

2Jt  9  2 

p(rlf,)  =  Jp(r,eif.)3e  =  ^exp(-I^)Jexp(M)3e 
P(rl£,)  =  ‘o( 

(Equation  4.34) 


The  integral  in  Equation  4.34  cannot  be  evaluated  in  terms  of  elementary  functions  but  is 
found  to  be  equivalent  to  the  modified  Bessel  function  of  the  first  kind  and  zero  order  Io(z). 
[Schwartz]  This  marginal  distribution  for  the  envelope  is  often  called  the  Rician  or  Rice 
distribution  (Figure  4.23  by  Peebles)  in  honor  of  S.  O.  Rice  of  Bell  Telephone 
Laboratories  who  developed  and  discussed  the  properties  of  this  distribution  in  a 
pioneering  series  of  papers  on  random  noise.  [Rice]  The  Rician  distribution  is  equivalent 
to  the  Rayleigh  distribution  for  small  SNR  (i.e.  F/a  =  0)  and  approaches  a  Gaussian 
distribution  with  mean  F  and  variance  for  large  SNR  [Schwartz].  Hence,  for  large 
SNR,  the  conditional  probability  of  missed  fault  detection  (Pqi  =  Pmd)  is  approximated: 


Tr 


Pmd  =  Pc.  =  Jp(r'E.)3^  =  ‘  " 

(Equation  4.35) 
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The  conditional  probability  of  fault  isolation  (Pj)  is  also  difficult  to  solve.  Again, 
the  probability  of  correctly  isolating  any  of  the  fault  signatures  (fi,  and  f^)  or  their 
inverses  is  equal  for  all  six  cases  and  each  case  is  equally  likely  (i.e.  1/6).  We  shall 
restrict  the  analysis  to  only  one  of  the  six  possible  cases:  specifically,  a  positive  fault  on 
controller  one  (fi)  where  fi  =  F  and  f2  =  0.  The  marginal  density  function  for  the  phase  is 
found  by  averaging  the  joint  density  function  over  all  possible  radii:  [Schwartz] 
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for  large  SNR  and  small  angle  0 
(Equation  4.36) 


The  marginal  density  of  the  phase  is  depicted  in  Figure  4.24  by  Peebles.  The  curve  is 
symmetrical  about  the  assumed  zero  phase  angle  of  the  fault  signature.  For  small  SNR,  the 
distribution  reduces  to  a  uniform  probability  of  l/27t  as  found  earlier.  For  large  SNR,  the 
curve  peaks  markedly  about  the  assumed  phase  angle  and  approaches  an  impulse  function. 
Thus,  the  probability  of  fault  isolation  approaches  certainty  as  the  SNR  increases.  For 
large  SNR  and  small  angle  0,  Schwartz  found  that  the  phase  density  can  be  approximated 
by  a  Gaussian  distribution  in  radians  of  zero  mean  and  a  standard  deviation  equal  to  the 
SNR  inverse  of  a/F  (Equation  4.36).  [Schwartz]  In  this  case,  the  conditional  probability 
of  fault  isolation: 
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(Equation  4.37) 

For  example,  the  probability  of  fault  isolation  is  approximately  99.75%  for  a  SNR  of  5.77. 
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Figure  4.24 


An  average  cost  function  or  risk  (R)  equivalent  to  the  probability  of  detection  error 
(PError)  is  minimized  with  the  likelihood  ratio  test  (LRT).  The  likelihood  ratio,  denoted  by 
A(r),  is  determined  directly  from  the  ratio  of  the  envelope’s  marginal  densities  under  either 

event. 
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(Equation  4.38) 

However,  the  fault  vector  f  of  event  Ei  is  unknown  a  priori.  The  maximum  likelihood 
(ML)  estimate  of  the  fault  vector  components  fi  and  f2  are  those  values  which  maximize  the 
likelihood  ratio.  The  above  Equation  4.38  implies  that  the  fault  vector  estimate  of  f  =  p 
where  fi  =  pi  and  f2  =  P2  provides  the  maximum  or  worst-case  likelihood  ratio 
corresponding  to  our  ignorance  of  the  fault  vector.  [Walker,  Whalen]  Yet,  we  still  wish  to 
include  our  knowledge  of  the  magnitude  F  of  the  fault  vector  in  the  analysis.  Therefore, 
the  squared  magnitude  =  2/3  fmin^  is  substituted  for  (fi^  -1-  f2^)  in  the  likelihood  ratio 
and  the  ML  estimate  is  utilized  in  all  other  instances: 


A(PpP2l  ^i=Pi.  2^  ^  ^ 

(Equation  4.39) 

As  discussed  in  Section  4.3.2.,  the  likelihood  ratio  is  compared  with  the  ratio  of  the  priors 
T|  =  (Pq  -  P2  -  P3)/Pi  “  Po/Pl  (Equation  4.15).  The  resultant  test  for  our  detection 
scheme  compares  the  radius  r  to  the  derived  threshold  Tr  and  is  thus  generalized  in  order  to 
account  for  a  positive  or  negative  fault  in  any  controller. 
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(Equation  4.40) 
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Similarly,  an  average  cost  function  or  risk  (R)  equivalent  to  the  probability  of 
detection  error  must  be  determined  and  minimized  with  the  likelihood  ratio  test  (LRT)  for 
each  of  the  three  possible  fault  signatures.  The  likelihood  ratios,  denoted  Ai(r),  A2(r),  and 
A3(r),  are  determined  directly  from  the  ratio  of  the  envelope's  marginal  densities  under 
event  Ei  for  the  respective  fault  signature  and  event  Eq.  Here,  the  fault  vector  f  of  event  Ei 
is  known  a  priori.  The  result  is  three  tests  comparing  the  absolute  value  of  each  fault 
signature's  characteristic  equation  to  a  derived  threshold  Tj.  They  are  generalized  in  order 
to  account  for  a  positive  or  negative  fault  in  the  controller. 


Comparison  Test  for  a  Fault  on  Controller  1: 
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(Equations  4.41  -  4.42) 


Comparison  Test  for  a  Fault  on  Controller  2: 
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(Equations  4.43  -  4.44) 


Comparison  Test  for  a  Fault  on  Controller  1; 
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(Equations  4.45  -  4.46) 
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for  the  individual  fault  signatures.  With  this  additional  knowledge  of  the  fault  signatures, 
the  maximum  likelihood  (ML)  estimate  of  the  actual  fault  incurred  is  the  average  of  the  six 
possible  cases:  the  three  fault  signatures  and  their  respective  inverses.  However,  the 
average  of  the  six  cases  is  zero  due  to  the  symmetry  of  the  fault  signatures.  Thus,  we  shall 
take  the  average  of  the  three  generalized  comparison  tests  above.  This  corresponds  to  the 
worst-case  scenario  of  not  knowing  which  of  the  three  equally  likely  fault  signatures  has 
occurred.  Yet,  this  still  includes  more  information  than  the  first  method  where  we  only 
knew  the  magnitude  F  of  the  fault  vector.  The  resultant  test  is  determined  by  first  squaring 
both  sides  of  the  three  generalized  comparison  tests  and  subsequently  averaging  the 


comparators  on  the  left  side  of  the  equations: 


Averaging  yields 
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(Equation  4.47) 


where 
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A  comparison  of  the  two  methods  of  fault  detection  is  illustrated  in  Figures  4.25 
and  4.26.  Both  methods  compare  the  radius  r  of  the  parity  vector  to  a  derived  threshold  Tr. 
This  optimal  threshold  is  the  essence  and  embodiment  of  each  method  and  is  the  only  true 
distinction  between  the  two.  Yet,  one  can  observe  a  close  resemblance  between  the  two 
thresholds  in  Equations  4.40  and  4.47.  The  difference  is  that  the  coefficient  of  the  first 
term  (log  Ti)  is  approximately  twice  as  large  for  the  second  method  as  it  is  in  the  first 
method,  while  the  second  term  remains  the  same.  This  causes  the  logarithmic  effect  of  the 
ratio  of  priors  (T])  to  be  increased  for  the  second  method.  The  thresholds  are  equivalent  for 
the  two  methods  when  the  probability  of  any  fault  occurring  is  equal  to  the  probability  of 
normal  operation  (p(Eo)  =  1  -  p(Eo)  =  50%,  T|  =  1).  The  threshold  for  the  second  method 
is  initially  greater  than  for  the  first  at  the  beginning  of  the  mission  (large  ri)  but  has  a  faster 
descent  to  zero  later  in  the  mission  (small  r\)  when  the  probability  of  any  fault  occurring 
dominates  the  event  space. 

The  resultant  test  is  a  more  optimal  detection  scheme  across  the  life  of  the  mission. 
In  this  example,  the  probability  of  missed  detection  (Pmd  =  Poi)  is  found  to  dominate  the 
probability  of  detection  error.  The  probability  of  error  is  slightly  greater  for  the  second 
method  initially  due  to  a  larger  threshold,  but  becomes  much  smaller  as  the  probability  of 
any  fault  occurring  becomes  dominant  and  the  threshold  is  more  dramatically  reduced.  The 
probability  of  false  alarms  (PpA  =  Pio)  and  of  a  dual  or  triple  hidden  fault  (p(E2)  and 
P(E3))  are  found  to  be  relatively  insignificant  in  this  exercise.  The  optimality  of  the  second 
method  assumes  a  longer  mission  time  where  the  control  system  goes  through  a  number  of 
successive  stages  of  reduced  operation.  For  very  small  mission  times,  the  first  method  is  a 
more  optimal  fault  detection  scheme.  However,  a  triple  redundant  control  structure  would 
be  inappropriate  for  short  mission  times. 
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Circular  Threshold  for  Two  Methods 
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Figure  4.25 

0.03  =  3.0%  Probability  of  Detection  Error  for  Two  Methods 
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4.4.3.  Triplex  Fault  Isolation  and  Reconfiguration 


Upon  fault  detection  within  the  control  structure,  diagnostic  schemes  must  be 
initiated  to  isolate  the  failed  structure(s),  locate  and  report  the  faulty  module(s),  and 
reconfigure  the  system  to  provide  continuous  valid  control.  The  balanced  nature  and 
symmetry  of  the  TRS  allows  efficient  fault  detection  and  isolation  for  the  controllers  with 
the  two-dimensional  parity  space.  Each  controller  has  a  distinctive  fault  signature  in  this 
parity  space.  The  collection  of  generalized  comparison  tests  for  these  individual  fault 
signatures  (Equations  4.42, 4.44,  and  4.46)  can  be  used  in  a  straightforward  manner  for  a 
fault  isolation  scheme  due  to  the  uniform  detectability  of  the  fault  signatures.  The  three 
generalized  comparison  tests  section  the  parity  space  as  depicted  in  Figure  4.27.  Several 
sections  overlap  and  therefore  represent  conflicting  decisions  between  events.  Conflict 
resolution  is  achieved  by  associating  the  faulty  controller  with  the  largest  comparator  Ci 
(Equation  4.48):  [Gai] 

max  {Cj  =  l-^Pjl;C2  =  l-^Pi+-pP2l;C3  =  I^Pj+-^P2l}  =  ^  =>  Fault  on  Controller  i 
J6  -i  6  J2  V6  v2 

(Equation  4.48) 

The  resultant  isolation  scheme  sections  the  parity  space  into  six  equal  pie  sections  centered 
about  the  fault  signatures  and  their  inverses  (Figure  4.28).  It  is  assumed  that  fault  isolation 
is  only  initiated  upon  detection  of  a  fault.  Thus,  the  central  hexagon  which  represents  the 
threshold  for  fault  detection  (Figure  4.27)  is  reduced  to  a  point  at  the  origin  for  the  fault 
isolation  scheme.  This  is  equivalent  to  setting  the  threshold  Tj  for  the  comparison  tests  to 
zero.  The  conditional  probability  of  fault  isolation  (Pj)  for  this  decision  area  is  derived 
above  (Equation  4.37)  and  is  conditioned  upon  fault  detection. 
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Figure  4.27 


The  conditional  probability  of  fault  isolation  for  dual  faults  must  also  be  addressed. 
Assuming  a  uniform  fault  distribution  where  the  fault  vector  has  equal  chances  of  occurring 
in  any  of  the  six  pie  sections  of  Figure  4.28,  the  conditional  probability  of  dual  fault 
isolation  is  easily  determined  to  be  two-thirds  of  the  total  possible  decision  area  (P12  = 
66.6%).  This  allows  correct  isolation  of  the  fault  to  either  one  of  the  two  faulty  controllers, 
while  the  other  is  reconfigured  with  the  valid  controller  to  the  DDRS.  Detection  of  the 
second  fault  would  have  to  be  accomplished  at  this  secondary  stage  with  the  difference  test. 
This  is  further  analyzed  below. 

Similar  to  the  hidden  faults  of  the  above  detection  scheme,  there  are  dual  faults 
which  cause  improper  fault  isolation  for  the  isolation  scheme.  Incorrect  isolation  occurs 
with  respect  to  a  common  bias  fault:  a  dual  fault  where  a  fault  of  approximately  equal 
amplitude  occurs  on  two  controllers  (see  Section  4.3.1,  Figure  4.3).  The  combination  of 
any  two  fault  signatures  of  equal  magnitude  in  the  parity  equation  (Equation  4.26,  4.27) 
produces  a  fault  vector  equivalent  to  the  inverse  of  the  third  fault  signature.  Our  analysis  of 
the  DDRS  suggested  that  the  probability  of  a  common  dual  fault  on  its  two  controllers  is 
T/FS  where  T  is  the  threshold  of  the  difference  test  and  FS  is  the  fullscale  for  the 
parameter.  There  are  three  such  possible  pairings  for  the  TRS  (i.e.  12,  23,  and  13)  and 
each  pairing  has  equal  probability.  Thus,  we  shall  analyze  only  one  pairing  of  a  common 
bias  fault  on  controllers  two  and  three  which  produces  a  fault  vector  in  the  direction  of  ±f  1 
(Figure  4.29).  The  shaded  portion  of  Figure  4.29  represents  the  decision  area  of  proper 
fault  isolation  (Ai)  for  the  dual  fault.  For  small  thresholds  T,  this  decision  area  is  very 
small  and  the  conditional  probability  of  common  bias  fault  isolation  is  approximated  by  the 
complement  of  the  conditional  probability  of  fault  isolation  (P2B  =  1  -  Pi.  Equation  4.49). 
This  is  a  worst-case  approximation  as  the  effects  of  the  Gaussian  error  are  not  included. 
Note  that  hidden  dual  faults  are  also  common  bias  faults. 
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fVohahilitv  of  a  Common  Bias  Fault  in  TRS  ( given  that  a  common  bias  has  occurred) 


WOLOG,  fi  =  Oand  If2-f3l  ^  T 
Thus,  Pi  =  (^2  if 

Pr{  Common  Bias  Isolation  I  TRS  Common  Bias  &  Fault  Detected  }  =  P^g  = 

=  (1-Pj)  for  small  threshold  T  (Equation  4.49) 


Figure  4.29 


Common  Bias  Fault  Represented  in  Parity  and  Fault  Space 
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Reconfiguration  consists  of:  1)  removing  the  faulty  controller  from  the  output 
estimation  scheme  (i.e.  averaging)  yet  still  including  it  as  a  voter  in  the  FDI  scheme  of  the 
TRS,  and  2)  immediately  performing  FDI  as  per  the  DDRS  upon  the  two  remaining  valid 
control  structures.  The  faulty  controller  is  simply  returned  to  valid  status  upon  a  successful 
comparison  test  for  the  TRS.  This  reconfiguration  scheme  allows  recovery  from  false 
alarms  and  transient  faults  and  maintains  the  independence  between  successive  comparison 
tests  of  the  TRS  over  the  mission.  However,  upon  reconfiguration  to  the  DDRS,  we  are 
left  with  only  one  parity  equation  (i.e.  the  difference  test)  and  the  parity  space  shrinks 
down  into  a  one-dimensional  line  in  which  direction  is  meaningless.  Hence,  a  dual  fault 
can  only  be  detected,  not  isolated,  efficiently  by  the  DDRS  (Section  4.3).  Subsequent 
decisions  must  be  based  on  further  analysis  of  the  individual  controllers  (simplex  FDI, 
Section  4.2).  Figure  4.30  depicts  the  decision  tree  associated  with  our  FDI  scheme  for 
three  levels  of  redundancy  where  correct  decisions  are  denoted  with  a  check  mark.  The 
probability  of  each  possible  system  state  and  of  the  total  system  error  can  be  directly 
determined  from  the  decision  tree  (Equations  4.50  -  4.59).  (Note:  system  shutdown  is  not 
considered  as  a  possible  system  state  in  this  exercise!) 

System  States  for  the  TRS 

1:  Triple  Stmcture,  All  Working  5:  Dual  Structure,  Both  Working 

2:  Triple  Structure,  Two  Working  6:  Dual  Structure,  One  Working 

3:  Triple  Structure,  One  Working  7:  Dual  Stmcture,  None  Working 

4:  Triple  Stmcture,  None  Working 

8:  Single  Stmcture,  Working 
9:  Single  Stmcture,  Not  Working 


P 


Error 


Probability  of  System  Error  for  the  TRS 

=  Ps2  +  Ps3  +  Ps4  +  Ps6  +  Ps7  +  Ps9  +  ^  ^10  +  3  Qs  ^  Rj  Qs"  P^.d  '  P,)  Pf,  \ 

=  Qg  +  2  Rg  Qg  for  the  optimal  fault  detection  and  isolation  scheme  (Equation  4.50) 
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f 


Probability  of  Each  Possible  System  State  for  the  TRS 


Pj. ;  P„  =  3  Rj  Qs  (P„^,  +  (-^)  (P^  -  P„’,)) ; 

8  FS 


_ (p^  -  P^  P  -  P^  — )))  P^  • 

„  ''10  MO^I  ^11  ■5''-'^  ^01  ’ 

8  FS  ^ 


01 


^S1  “  ^00’  ^S2  ”  ^01’  ^S3 

Ps4  =  Qs  (Po^i  +  -  Po.» ;  Ps5  =  <  Pio  3  Qs  <  Pu  Pi)  Po'^o  ^ 

Ps6  =  (3  Qs  Pu  (1  -  Pi)  +  3  R,  (Pu  f + ^  P^  d  '  P, '  f)  +  K '  Pi'o 

8  FS 

Ps,  =  (3  R,  (1  -  ^  -  ^)  P.’i  i  .  q/  P.’i  (1  -  -  X  P,))  P, 

+  (3RsQsHXp.V|Jp.^„)p,  +  Q’(XpTp,.^^ipT))P„'J; 

Ps8  =  <P.V3QsRs'PnPi)P?o 

+  (3  Qs  Rs^  P,'^.  (1  -  P,)  +  3  Rs  Qs^  (pJ,  I  +  X pT (, .  p_  . ^  (pT  .  p T  .  pT|j  pi 

8  FS 

Ps,  =  (3  Rs  Qs^  (1  -  X  .  g)  pT  i  ,  q3  pT  (1  .  2^  .  i  p_))  pO 

^  (3  Rs  Qs^  (X  pT  ^  ^  pT^  p_  ,  Q  3  (i  pT  p_  ,  pT  ),  p  D 

(3  Q,  Rj*  P,'^,  (1  - P,)  +  3  Rs Qs^  (P.'',  I  +  X p;f_(i .  Pj .  1)  +  ^  (pT  .  pT  p^ .  pT|^)  pi 

8  FS 

Equations  4.51  -  4.59 

where  superscript  T  and  D  represent  TRS  and  DDRS  conditional  probabilities, 

respectiyely. 
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Priors 


Normal  Operation 


3QsRs 

Single  Fault 


Both  Controllers  Working 


I  One  Working,  One  Faulty 


8FS 

Dual  Fault 


Common  Bias  Fault 


2  9T 

3RsQs 

^  ^  8FS" 

Dual  Hidden  Fault 


Both  Controllers  Faulty 


QiO- 


773  t/  > 

16/2  FS^^ 

Triple  Fault 


FS 

Common  Bias  Fault 


Common  Bias  Fault 


3  7/3  t/ 

^  16/2  Fs’ 

Triple  Hidden  Fault 


DDRS 


Configuration 


Figure  4.30  Decision  Tree  for  FDI  Scheme  with  Triple  Redundancy 


4.5.  Unrecoverable  Reconfiguration 


A  second  method  of  reconfiguration  for  redundant  structures  upon  fault  detection 
and  isolation  is  to  simply  ignore  the  faulty  controller  in  all  future  operations.  This  method 
places  a  higher  cost  on  structure  performance  under  fault  conditions  than  upon  performance 
at  a  reduced  level  of  redundancy.  However,  this  static  reconfiguration  scheme  does  not 
allow  for  recovery  from  false  alarms  or  transient  faults.  Further,  the  probability  of  false 
alarm  over  consecutive  samples  becomes  a  very  important  statistic  and  is  found  to  quickly 
increase  with  the  number  of  consecutive  samples  (k).  This  dramatic  increase  is  due  to  the 
memory-less  or  independent  nature  of  the  single  sample  tests  presented  above  for  the  FDI 
scheme.  [Walker] 

k 

Pr{Any  False  Alarm  during  k  Consecutive  Samples}  =  1  -  (1-Pp^)  (Equation  4.60) 

An  example  of  this  sequential  decision  error  is  presented  in  Figure  4.31  where  Pfa  = 
0.27%  (as  determined  for  our  example  of  a  fault  detection  scheme  for  the  DDRS  based  on 
the  Neyman-Pearson  criterion.  Section  4.3.3).  A  small  sample  frequency  relative  to  the 
MTBF  of  the  controllers  (e.g.  1  Hz.)  would  yield  potentially  disastrous  results. 
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4,6.  Ctonclusions 


In  contrast  with  current  fault-tolerant  control  schemes,  the  dual-difference 
redundant  structure  (DDRS)  and  triple  redundant  structure  (TRS)  provide  real-time  fault 
detection  and  error  accountability  for  sensor  systems  in  an  untended  manufacturing 
environment  without  the  use  of  a  process  model.  Also,  these  active  redundancy  schemes 
are  one  step  beyond  passive  schemes  (e.g.  TMR  or  NMR)  towards  complete  fault  coverage 
in  that  fault  occurrences  are  detected  and  not  merely  screened.  The  control  structures 
provide  fault-tolerant  control  (i.e.  fault  detection,  isolation,  and  reconfiguration)  to  the 
extent  of  their  capabilities.  Reconfiguration  consists  of  a  graceful  and  recoverable 
reorganization  of  the  system  to  a  structure  of  lesser  redundancy  and  reduced  performance. 
Hence,  each  redundant  control  structure  is  a  subset  of  all  structures  of  greater  redundancy. 
For  example,  the  triple  redundant  structure  provides  both  efficient  fault  detection  and 
isolation  with  a  rather  practical  FDI  scheme.  Upon  fault  detection,  the  TRS  is  reconfigured 
to  the  DDRS  with  the  two  remaining  valid  controllers.  In  this  manner,  fault-tolerant  control 
is  achieved. 

The  fault  detection  and  isolation  (FDI)  scheme  assumes  a  classical,  M-ary 
hypothesis  test  with  a  fixed,  singular  data  sample.  Thus,  there  are  M  possible  alternatives 
or  event-hypothesis  pairings  each  time  a  decision  must  be  made.  With  any  decision¬ 
making  process  comes  the  possibility  of  decision  errors;  in  this  case,  there  is  an  inherent 
give-and-take  between  the  two  decision  errors  of  false  alarms  and  missed  detections.  With 
any  FDI  scheme,  it  is  found  that  the  probability  of  these  decision  errors  is  inversely 
proportional  to  the  failure  signal-to-noise  ratio  (SNR).  This  analysis  is  concerned  with  the 
worst-case  fault  magnitude  of  fmin  which  is  the  smallest  fault  (and,  thus,  the  hardest  to 
detect)  of  accountable  cost  for  the  current  application.  It  is  further  generalized  to  account 
for  both  positive  and  negative  faults.  A  second  concern  of  decision  error  is  the  possible 
missed  detection  of  certain  multiple  faults  which  are  hidden  from  the  FDI  scheme.  For 
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example,  the  difference  test  is  insensitive  to  a  dual  fault  where  a  fault  of  approximately 
equal  amplitude  occurs  on  both  controllers.  This  analysis  assumes  a  uniform  fault 
distribution  across  the  space  of  all  possible  faults  and  found  the  effect  of  multiple  faults  on 
the  probability  of  decision  error  to  be  negligible.  The  resultant  set  of  system  states  and 
their  associated  probabilities  is  determined  from  a  decision  tree  for  each  redundant  structure 
based  on  its  FDI  and  reconfiguration  schemes. 

Several  fault  detection  and  isolation  schemes  are  examined  for  each  redundant 
structure.  The  FDI  scheme  can  be  optimized  by  using  a  generalized  likelihood  ratio  test 
(GLRT)  which  is  based  on  a  degenerated  Bayes  criterion.  This  analysis  utilizes  the  special 
cost  assignment  where  correct  decisions  incur  no  penalty  and  incorrect  decisions  incur  the 
same  penalty.  With  this  cost  assignment,  risk  is  equivalent  to  the  probability  of  decision 
error.  The  likelihood  ratio  is  determined  directly  from  the  ratio  of  the  marginal  or 
conditional  densities  of  the  parameter  or  parity  vector  under  either  event.  Another  possible 
FDI  scheme  is  based  upon  the  classical  Neyman-Pearson  criterion  of  radar  detection 
theory.  Here,  the  conditional  probability  of  false  alarms  PpA  is  constrained  to  remain  less 
than  some  arbitrarily  small  value  a,  known  as  the  level  or  significance  level  of  the  test,  and 
then  the  conditional  probability  of  fault  detection  Pd  is  maximized  to  some  value  (1-P), 
known  as  the  power  of  the  test.  The  resultant  test  for  either  FDI  scheme  compares  a 
significant  statistic  (e.g.  the  radius  or  absolute  difference)  to  a  derived  threshold  and  is  thus 
generalized  in  order  to  account  for  a  fault  in  any  controller.  This  threshold  is  held  constant 
by  the  Neyman-Pearson  criterion  and  is  completely  defined  upon  choosing  the  level  of  the 
test  (a).  For  the  Bayes  criterion,  the  threshold  is  varied  according  to  the  prior  event 
probabilities  of  the  control  structure  in  order  to  minimize  the  probability  of  decision  error. 
For  example,  the  threshold  is  originally  made  quite  large  compared  to  the  fault  magnitude 
while  the  probability  of  normal  operation  is  high  and  is  subsequently  pulled  closer  to  the 
origin  as  the  probability  of  a  structure  fault  becomes  predominant. 
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In  the  next  chapter,  we  analyze  all  relevant  a  priori  uncertainty  or  entropy  within  the 
control  system.  The  minimized  Gaussian  error  function  and  the  maximized  exponential 
reliability  function  provide  a  complete  concept  of  all  a  priori  knowledge  of  the  control 
structure.  The  marginal  or  conditional  probabilities  of  the  FDI  schemes  describe  the 
performance  statistics  associated  with  the  redundant  stmcture.  The  resultant  set  of  system 
states  and  their  associated  probabilities,  as  illustrated  by  the  decision  tree,  represents  all  a 
priori  uncertainty  in  the  control  system.  Information  theory  defines  entropy  as  a 
logarithmic  measure  of  the  randomness  or  'choice'  involved  in  an  event  or  the  prior 
uncertainty  of  the  outcome  of  an  experiment.  This  metric  of  uncertainty  allows  for 
comparisons  of  the  effective  system  performance  for  different  redundant  structures. 


105 


Chapter  5 :  Entropy  Analysis  of  Redundant  Structures 


The  concept  of  entropy  has  a  rich  history  that  defies  disciplinary  boundaries  in  its 
application.  The  word  "entropy"  as  a  scientific  concept  was  first  used  in  thermodynamics 
by  Clausius  (1850).  Its  probabilistic  interfa’etation  in  the  context  of  statistical  mechanics  is 
attributed  to  Boltzman  (1877).  However,  the  explicit  relationship  between  entropy  and 
probability  (Equation  5.1)  was  recorded  several  years  later  by  Planck  (1906).  This  thesis 
draws  heavily  from  Shannon's  celebrated  paper  (1948)  on  information  theory  where 
entropy  is  used  as  a  measure  of  information  (or,  more  to  the  point,  missing  information). 
Basic  to  the  concept  of  information  is  the  notion  of  uncertainty;  the  more  uncertain  we  are 
about  the  outcome  of  an  event,  the  greater  will  be  the  amount  of  information  associated 
with  the  outcome.  If  we  can  predict  in  advance  the  outcome  of  an  experiment,  then  no 
information  has  been  conveyed  by  the  experiment.  Jaynes  (1957)  reexamined  the  method 
of  maximum  entropy  (MEM)  and  applied  it  to  a  variety  of  problems  involving  the 
determination  of  unknown  parameters  from  incomplete  data.  Other  fields  of  research  have 
also  delved  into  the  application  of  entropy.  Weaver  wrote: 

Dr.  Shannon’s  work  roots  back  ...  to  Boltzmann’s  observation,  in  some  of  his 
work  on  statistical  physics  (1894),  that  entropy  is  related  to  “missing  information,” 
inasmuch  as  it  is  related  to  the  number  of  alternatives  which  remain  possible  to  a 
physical  system  after  all  the  macroscopically  observable  information  concerning  it 
has  been  recorded.  Szilard  (1925)  extended  this  idea  to  a  general  discussion  of 
information  in  physics  and  von  Neumann  (1932)  treated  information  in  quantum 
mechanics  and  particle  physics.  Weiner  has  been  ...  concerned  with  biological 
application  (central  nervous  system,  etc.).  [Shannon] 

The  most  famous  application  is  the  Second  Law  of  Thermodynamics:  the  entropy  of  a 
system  (e.g.  the  universe  or  a  control  structure)  will  always  increase  over  time.  An  optimal 
structure  or  system  design  with  respect  to  entropy  would  be  one  which  originates  with  a 
minimal  entropy  from  all  perspectives  and  degrades  at  a  minimal  pace.  This  widespread 
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application  of  entropy  attests  to  its  fundamental  nature  and  allows  for  linkage  into  a  more 
comprehensive  system  representation  of  uncertainty  by  incorporation  of  other  system 
entropies:  the  process  and  its  disturbances  [Papoulis],  the  control  scheme  [Weidemann, 
Weiner]  and  planning  procedures  [Valavanis],  reasoning  and  other  information  processing 
algorithms  [Stephanou],  etc. 

5.1.  Measure  of  Uncertainty  in  the  A  Priori  Knowledge 

Our  goal,  thus  far,  has  been  the  definition  of  all  a  priori  knowledge  associated  with 
redundant  structure  performance.  The  reliability  analysis  defines  how  long  the  structure 
will  operate  without  failure;  while  the  error  analysis  defines  how  accurate  the  stracture  will 
operate  given  that  no  failure  has  occurred.  Due  to  the  inherent  uncertainty  in  this 
knowledge,  conditional  error  is  characterized  by  a  Gaussian  density  function  and  reliability 
by  an  exponential  distribution.  The  marginal  or  conditional  probabilities  of  the  FDI 
schemes  describe  the  performance  statistics  associated  with  the  redundant  structure.  The 
resultant  set  of  system  states  and  their  associated  probabilities,  as  illustrated  by  the  decision 
tree,  represents  all  a  priori  uncertainty  in  the  control  system.  Information  theory  defines 
entropy  (H)  as  a  measure  of  information,  choice,  and  uncertainty.  [Shannon]  Entropy  is 
a  logarithmic  measure  of  the  randomness  or  'choice'  involved  in  an  event  or  the  prior 
uncertainty  of  the  outcome  of  an  experiment.  It  can  be  formulated  from  the  probabilities  of 
an  exhaustive  set  of  n  possible  events  or  experiments  (discrete  case)  or  from  the  pdf  of  a 
continuous  distribution  (continuous  case): 

K  =  p(Xj)  log  p(Xj)  =  -J  p(x)  log  p(x)  dx 

i  =1  -  (Equation  5.1) 

This  formulation  is  particularly  suited  for  representing  the  uncertainty  inherent  within 
discrete  event  sets  for  many  reasons.  Entropy  increases  monotonically  with  n  and  a 
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maxto™  e„.„p,  of  flog  is  achiovod  when  a,,  „  events  are  e,ua„v  probable.  Ihis  is 
mlumvely  .he  mos,  uncertain  sitnadon.  Any  change  towards  equalizadon  of  the 
probabthdes  or  unifonnity  i„  dte  density  function  causes  a  subsequent  incase  iu  the 
endopy.  A  ndnintun,  endopy  of  zed>  occu.  when  dte  outcome  is  known  with  certainty 
Any  change  towadis  a  donunan.  pmbabili ^  or  a  focusing  of  dte  density  funcdon  allows  for 
a  subsequent  decease  in  dte  endopy.  Odte^ise,  dte  endopy  of  discmte  even,  sets  is 
postdve  and  ts  bounded  by  d.e«  exdeme  cases.  An  taporan.  property  of  endopy  is  dta.  it 
.s  addtdve  for  independent  experiments  due  m  id  logarithmic  formuladon.  In  conclusion 

endopy  tsameasure  of  ourapnon  knowledge  or.more  appropriately, lack  of  knowledge’ 

0.e.  tgnorance/uncertainw  in  terms  of  our  a  priori  probabilities.  This  medic  of 

uncertatnty  allows  for  comparisons  of  the  effective  system  performance  for  different 
redundant  structures. 


Unceriaino-  comparisons  between  discrete  even,  sets  can  be  easily  made  with  an 
endopy  analysis  of  their  associated  probability  sets.  Binaty  sets,  consisring  of  an  even, 
and  us  complement  are  dte  simples,  case  („=2)  and  ye.  are  the  mos.  imporian.  comparison 
stze  or  dtmenston  found  widtin  digital  communicadon  dteoty.  Ute  endopy  of  a  binaty  set 
ts  maxuntzed  as  dte  dvo  evend  become  equally  probable  (p  =  0.5)  and  is  minimized  as  one 
even,  becomes  ceriain.  These  concepts  of  uniformity  and  polarity  form  the  basis  for 
comparisons  between  n-ary  even.  sets.  As  mentioned  above,  any  change  or  difference 
bedve^t  two  n-tuy  even,  sed  towards  equalizadon  of  d«  n  discrete  probabilides  dedrmlnes 
a  conespondtng  increase  in  dte  endopy  of  the  sets  (i.e.  in  comparison,  a  trend  towards 
umfomuty  in  dte  pmbabilides  indicates  a  bend  towamls  gmater  endopy  in  dte  even,  sets) 
The  fact  dtat  endopy  incmases  monotonically  with  „  allows  for  comparisons  of  event  sets 
of  driferen.  sizes.  All  things  being  equivalent,  a  discrete  event  set  of  larger  size  will  have 
greater  endopy  due  to  dte  added  complexity  of  tuididonal  states.  Thus,  comparisons  of  our 
nneettaino,  about  diffemn.  disemK  even,  sed  are  facilitated  by  endopy 
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The  entropy  of  a  continuous  distribution  is  defined  in  an  analogous  manner  to  the 
entropy  of  discrete  event  sets  (Equation  5.1).  However,  an  important  distinction  exists 
between  the  two  cases.  In  the  discrete  case,  the  chance  variables  are  the  events  which  are 
mutually  exclusive  and  their  union  is  the  certain  event  (pi  +  P2  +  —  Pn  =  !)•  Entropy  is 
defined  for  a  given  partition  of  the  event  space  into  a  set  of  n  distinct  events.  The 
uncertainty  or  randomness  of  the  events  is,  therefore,  measured  in  an  absolute  way  (i.e. 
relative  to  the  n-ary  partition  and  its  associated  n  probabilities;  irrespective  of  the  event 
space)  and,  as  seen  in  the  preceding  paragraph,  this  allows  for  direct  numerical 
comparisons  of  the  entropies  of  discrete  event  sets.  Uncertainty  comparisons  can  even  be 
made  between  two  independent  event  sets  which  have  nothing  to  do  with  one  another  (e.g. 
apples  and  oranges).  In  the  continuous  case,  the  chance  variable  is  a  measurement  whose 
value  is  relative  to  a  coordinate  system  with  an  assumed  standard  or  measurement  scale. 
The  entropy  of  a  continuous  distribution  cannot  be  defined  in  an  absolute  fashion  because 
the  events  do  not  form  a  partition  (n  =  «>)  and  are  of  an  arbitrary  size  dependent  on  the 
coordinate  system.  Comparisons  cannot  be  made  between  coordinate  systems  unless  the 
transformation  or  relationship  between  their  respective  unit  volumes/vectors  is  known. 
Uncertainty  comparisons,  therefore,  can  only  be  made  between  continuous  distributions 
transformed  into  or  originating  from  the  same  coordinate  system.  Transformation  of  a 
density  function  (Section  5.3)  would  assign  a  new  entropy  to  the  distribution  relative  to  the 
new  coordinate  system. 

In  spite  of  this  dependence  on  the  coordinate  system,  the  entropy  concept  is  as 
important  in  the  continuous  case  as  in  the  discrete  case.  In  fact,  one  conventional 
uncertainty  comparison  is  the  change  or  difference  in  the  entropy  of  a  specific  variable’s 
distribution  (as  opposed  to  uncertainty  comparisons  between  multiple  variables)  as  the 
system  passes  into  some  other  state  or  is  affected  by  some  event.  In  addition,  the  entropies 
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of  continuous  distributions  have  most,  but  not  all,  of  the  properties  of  the  discrete  case. 
Other  distinctions  due  to  this  arbitrary  scale  of  reference  are  listed  hereafter: 


The  entropy  of  a  continuous  distribution  can  take  any  value  in  (-«>,  o®).  Zero 
entropy  for  a  given  measurement  scale  corresponds  to  a  uniform  density  over  a  unit  volume 
(K  =  1  log  1  dxidx2...dxn  =  0)  and  any  distribution  of  smaller  volume  will  have 

a  negative  entropy. 


If  the  density  function  is  bandlimited  to  a  finite  volume  a,  maximum  entropy  of 
(log  a)  corresponds  to  a  uniform  density  of  p(x)  =  1/a  for  all  x: 


log  a 


(Equation  5.2) 


If  the  density  function  is  limited  to  an  average  power,  maximum  entropy 
corresponds  to  a  Gaussian  density: 

p(x)  =  Gaussian(0,G)  =  ^  where  =  [p(x)x^dx 

o/^  ^ 

2 

-  logp(x)  =  logo/lTr  + 
ii(x)  =  log  0/2%  J  p(x)  9x  +  -^j  p(x)  x^  d\ 


=  logo/2rc  +  ^  =  log  g/  27ce 


(Equation  5.3) 


This  direct  relationship  between  entropy  and  variance  implies  that  a  minimum  mean-square 
error  (MSE)  design  for  Gaussian  random  variables  is  always  a  minimum  entropy  design. 


If  the  density  function  is  limited  to  a  half-line  (p(x)  =  0  for  x  <  0)  and  the  first 
moment  or  mean  is  fixed  at  P,  maximum  entropy  corresponds  to  an  exponential  density: 

p(x)  =  4-  e  where  P  =  f  P(x)  x  dx 

P 

H(x)  =  logpJp(x)9x  +  ■i-Jp(x)x9x  =  logep 

(Equation  5.4) 

The  entropy  of  the  Gaussian  conditional  error  function  for  an  N  redundant  control 
structure  is  H(e)  =  log(ay  2ne/N)  by  Equations  3.3  and  5.3.  The  entropy  of  redundant 
structures  can  be  directly  compared  with  respect  to  their  scaling  in  %FS  and  it  is  observed 
that  the  entropy  of  the  error  distribution  is  reduced  with  the  level  of  redundancy  employed. 
The  failure  time  density  of  the  control  stracture  is  an  exponential  function  (Equation  3.10) 
limited  to  a  half-line  due  to  the  causal  nature  of  the  process  and  has  a  fixed  mean  which  is 
estimated  by  MTBF.  By  Equation  5.4,  the  entropy  of  the  failure  time  density  is,  therefore, 
H(f)  =  log(eA)  =  log(e  *  MTBF)  and  is  directly  related  to  the  structure's  MTBF. 
Redundancy  of  the  control  structure  provides  an  increase  in  the  system  MTBF  and  entropy. 

Note  that  error  and  reliability  are  represented  by  distributions  which  maximize  the 
entropy  with  respect  to  the  given  information.  Jaynes  found  that  Information  Theory 
provides  a  constructive  criterion  (i.e.  the  maximum  entropy  method,  MEM)  for  setting  up 
probability  distributions  on  the  basis  of  partial  knowledge.  [Jaynes]  Among  all 
distributions  which  are  concomitant  with  the  available  information,  the  selected  density 
function  is  the  one  which  is  maximally  vague  or  minimally  prejudiced  regarding  the 
missing  information.  Jaynes  further  showed  that  the  theory  of  MEM  statistical  inference  is 
mathematically  identical  with  the  rules  of  calculation  provided  by  statistical  mechanics. 
Tribus  demonstrated  that  all  of  the  laws  of  classical  thermodynamics  can  be  defined  from 
Shannon’s  entropy  using  the  principle  of  maximum  entropy.  [Tribus] 
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Figure  5.1  Triangular  Probability  Density  Function 


The  entropy  of  a  triangular  probability  density  function  (Figure  5.1)  can  also  be  derived. 
Averaging  two  independent  random  variables  with  uniform  distributions  of  base  width  2B 
results  in  a  triangular  density  of  base  width  2B.  [Peebles] 


0  B 


+  +  -X-  -  (  -x^  +  2L  -  i)  iog(l:2L)l 

4b2  2B  B  2^ 

«« =  -  i  4]  ^  t-i  4  - 


=  -log(^)+|-  =  log(B7e) 

(Equation  5.5) 

This  distribution  can  be  approximated  by  a  Gaussian  distribution  with  a  standard  deviation 
of  CT2F  =  B/V6  by  Equation  3.6  and  with  an  entropy  of  K(e)  =  log(B/'\  7ce/3)  « 
log(BVe)  by  Equation  5.3.  The  entropy  of  the  triangular  density  is  found  to  increase  with 
the  base  width  and  is  less  than  the  entropy  of  a  uniform  density  (Equation  5.2)  of  same 
base  width  (a  =  2B)  by  an  amount  of  log(2/Ve)  =  0.2. 
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5.1.1.  Structure  Certainty  vs.  Structure  Performance 


The  entropy  of  the  reliability  distribution  is  interpreted  as  our  uncertainty  of  the 
normal  behavior  or  operation  of  the  control  structure  over  time  (with  respect  to  some  unit  of 
time).  The  greatef  the  control  structure's  MTBF;  the  bigger  the  reliability  distribution  over 
time;  and,  therefore,  the  greater  the  entropy  of  the  controller  (Equations  5.4).  In  an 
uncertainty  comparison  with  respect  to  a  common  time  frame,  we  are  more  certain  in  the 
failure  time  of  the  controller  with  the  smallCT  MTBF  and  reliability  distribution.  This  is  due 
to  two  factors  of  the  smaller  distribution  with  respect  to  the  largCT  distribution:  the  quicker 
descent  of  its  reliability  over  time  (we  quickly  lose  faith  in  its  performance  while  our  period 
of  uncertainty  in  the  other  controller’s  performance  is  much  longer)  and  the  fact  that  its 
reliability  approaches  zero  sooner  (we  become  certain  that  a  failure  has  occurred  while  we 
are  still  unsure  of  the  other  controller’s  performance).  These  results  are  determined  from 
Equation  5.4  with  respect  to  the  failure  time  density  function  f(t)  and  its  distribution  (i.e. 
the  unreliability  Q(t)).  The  structure  with  greater  MTBF  has  a  failure  function  with  greater 
spread  and  therefore  greater  entropy  (Figure  5.2). 

This  representation  of  our  uncertainty  in  a  control  structure's  reliability  betrays  the 
intrinsic  trust  or  confidence  we  place  in  a  controller  with  a  greater  MTBF  and  reliability 
distribution.  We  assert  that,  "We  are  certain  that  the  controller  with  a  greater  MTBF  is 
more  reliable  over  the  mission  time."  The  important  distinction  to  be  made  is  that  the 
entropy  of  a  control  structure  variable,  as  defined  in  Equation  5.1,  is  a  measure  of  the 
uncertainty  in  the  knowledge  of  that  variable  (as  defined  by  its  pdf)  and  not  a  measure  of 
the  chaos  or  discord  caused  by  the  variable  to  the  structure.  A  control  structure  with  lower 
entropy  is  not  necessarily  a  better  system;  we  could  be  highly  certain  that  the  structure  is 
inoperative  or  in  some  other  unwanted  state.  Care  must  be  taken  not  to  reduce  uncertainty 
at  a  cost  to  performance  of  the  control  stmcture. 
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MTBI^  <  MTBFj 

rt(R(^  <  }{(Ri) 
H(System^  >  jt(Systemp 


MTBI^  MTBIi 


Figure  5.2  Entropy  Comparison  of  the  Reliability  of  Two  Structures 


Certainty  in  knowing  the  state  of  a  system  9*  Certainty  or  Confidence  in  system  performance 


5.2.  Effect  of  Transformations  on  Entropy 

A  special  case  of  dependent  event  sets  or  distributions  is  when  the  dependence  of 
the  event  sets  can  be  expressed  as  a  transformation  or  function  of  one  event  to  the  other. 
This  transformation  between  event  sets  X  and  Y  can  be  expressed  by  the  equation  y  =  g(x) 
and,  in  this  case,  the  entropies  of  the  event  sets  can  be  compared  with  one  another. 
Independent  event  sets  cannot  be  represented  with  a  transformation.  If  the  transformation 
has  a  unique  inverse  x  =  g’Hy)*  then  there  exists  a  one-to-one  correspondence  between  the 
domain  and  range  of  the  function  (here,  the  discrete  events  of  X  and  Y)  and,  therefore, 
p(Y  =  yi)  =  p(X  =  xi)  for  i  =  l...n.  For  an  invertible  transformation,  ft(Y)  =  H(X). 
If  the  transformation  does  not  have  a  unique  inverse,  then  there  exists  a  solution  y  for  more 
than  one  value  of  x.  Thus,  the  event  set  X  is  of  larger  size  than  the  event  set  Y  and  has 
greater  entropy  (JC(Y)  <  Jt(X))  due  to  the  added  complexity  of  additional  states.  Here,  the 
transformation  y  =  g(x)  on  the  discrete  event  space  X  has  resulted  in  a  reduction  in  the 
entropy.  Similar  results  follow  from  the  continuous  case:  [Papoulis] 
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If  the  dependence  between  two  continuous  variables  can  be  represented  by  the 
transformation  y  =  g(x),  then 

K(y)  <  K(x)  +  E{ln  lg'(x)l}  (Equation  5.6) 

with  equality  iff  the  transformation  is  invertible. 

If  the  dependence  between  two  continuous  vectors  can  be  represented  by  a  set  of  n 
functions  yi  =  gi(xi,...,  Xn),  then 

^(yp— >yn)  —  +  E{ln  IJ(Xp...,Xjj)l}  (Equation  5.7) 

with  equality  iff  the  transformation  is  invertible  and  where  J(xi,...,Xn)  is  the  Jacobian  of 
the  transformation. 

If  the  dependence  between  two  continuous  vectors  can  be  represented  by  a  set  of  n 

linear  transformations  yi  =  giXi  =  aiixi  + . . .  +  ainXn,  then 

K(y,,...,y„)  =  K(xj,.,.,x„)  +  In  lAI  (Equation  5.8) 

where  A  denotes  the  determinant  of  transformation  matrix  G. 

As  an  exercise,  consider  the  linear  transformation  of  rescaling  the  error  budget  of 
the  control  structure  (Equation  2.1)  from  units  of  %FS  to  Volts  for  a  fullscale  value  of  10 
Volts.  This  can  be  represented  as  y  =  x*10/100%  =  x/10%.  The  derivative  of  the 
transformation  g'(x)  and  the  determinant  of  the  [1x1]  transformation  matrix  G  is  1/10. 
The  probability  density  for  the  control  structure  error  is  defined  as  Gaussian  and  the 
entropy  of  this  pdf  is  directly  dependent  on  the  standard  deviation  (Equation  5.3).  For  our 
example  error  budget,  the  standard  deviation  would  be  rescaled  from  0.3276%FS  to 
0.03276  Volts  by  this  linear  transformation.  The  resulting  entropy  of  the  error  density 
scaled  in  Volts  is  found  to  be  less  than  the  entropy  of  the  same  error  density  scaled  in  %FS 
(Equations  5.6,  5.8).  This  exercise  shows  the  dependence  of  entropy  upon  the  coordinate 
system  in  defining  the  uncertainty  of  a  continuous  density. 

H(y)  =  log(0.3267%FS/^)  +  log(0.1)  =  log(0.03267Vy^ )  =  0.135 
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5.3.  The  Measure  Function 


A  second  formulation  for  the  entropy  of  continuous  distributions  is  suggested 
(Equation  5.9).  Jaynes  refers  to  the  addition  m(x)  to  the  entropy  formulation  as  a  "measure 
function"  which  is  proportional  to  the  limiting  density  of  the  discrete  or  sampled  points  of 
the  density  function  p(x).  If  the  precision  of  the  random  variable  or  coordinate  system  is 
given  as  ±  Ax/2,  then  the  limiting  density  function  is  a  uniform  1/Ax  about  each  point. 
Regardless,  the  measure  function  m(x)  is  introduced  in  Equation  5.9  in  order  to  make  the 
expression  dimensionless  under  the  logarithm  and  to  remove  the  dependence  upon 
coordinate  system.  Hence,  the  choice  of  measure  function  determines  the  position  of  zero 
on  the  entropy  scale  and  is  completely  arbitrary.  In  particular,  we  might  make  m(x)  =  Ax  = 
1  to  retain  Shannon's  formulation  (Equation  5.1)  and  thereby  associate  zero  entropy  with 
the  standard  unit  of  measurement  for  p(x).  Proper  choice  of  the  measure  function  allows 
for  comparisons  between  continuous  distributions  by  placing  them  on  the  same  entropy 
scale  (i.e.  with  respect  to  m(x)).  In  addition,  joint  entropies  can  be  formulated  due  to  our 
understanding  of  the  relative  contributions  from  different  variables  upon  system  entropy. 
This  understanding  is  not  possible  with  Shannon's  formulation  of  entropy.  [Jaynes, 
PapouUis,  Pugachev] 

oo  OO 

=  -  J  p(x)  log  8x  =  -  J  p(x)  log  p(x)  dx  -  log  Ax 

.  OO  -  OO 

(Equation  5.9) 

Note  that  the  equations  for  Shannon's  entropy  need  only  slight  modification  (i.e. 
subtracting  log  Ax  from  its  final  form)  to  achieve  Equation  5.9.  We  shall  refer  to 
Equation  5.9  as  the  entropy  for  continuous  distributions  in  all  further  discussions. 
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The  major  change  of  this  reformulation  is  that  entropy  is  unaffected  by  rescaling  of 
the  coordinate  system  and  invariant  to  invertible  transformations  by  proper  choice  of  the 
measure  function  m(x).  First,  we  will  consider  rescaling  of  the  coordinate  system.  Since 
both  the  density  p(x)  and  measure  m(x)  functions  are  of  the  same  coordinate  system,  both 
functions  are  transformed  in  the  same  fashion  upon  a  change  or  rescaling  of  the  variable  x. 
These  changes  cancel  each  other  out  in  the  logarithm  and  therefore  entropy  is  invariant  to  a 
change  in  variable.  Second,  Equations  5.6  -  5.8  describe  the  effect  of  a  transformation 
upon  Shannon's  entropy  of  a  continuous  variable  or  vector.  Application  of  the  measure 
function  is  straightforward.  For  example,  the  entropy  of  the  variable  x  upon  invertible 
transformation  g(x)  to  the  variable  y  is  redefined  as: 

JfCy)  =  K(x)  +  E{loglg’(x)l}  +  log|2-  =  K(x)  +  E{log|2- lg’(x)l} 

(Equation  5.10) 

If  two  continuous  distributions  are  related  by  an  invertible  transformation,  then  uncertainty 
comparisons  are  possible  with  respect  to  the  measure  functions  by  Equation  5.10.  The 
entropy  of  the  random  variable  is  unaffected  by  the  invertible  transformation  y  =  g(x) 
(i.e.  H(y)  =  H(x))  by  proper  choice  of  the  measure  function  Ay: 

Ay  =  Ax*lg'(x)l 

(Equation  5.11) 

For  scaling  or  linear  transformations,  this  choice  of  the  measure  function  Ay  is  equivalent 
to  the  transformation  of  the  measure  function  Ax  and  is  determined  by: 

Ay  =  the  transformation  of  Ax  =  g(Ax)  =  Ax*lg'(x)l  =  Ax*gain. 

(Equation  5.11) 

In  this  manner,  all  random  variables  associated  by  an  invertible  transformation  contain 
exactly  the  same  amount  of  information.  Entropy  is  invariant  to  invertible  transformation. 
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5.4.  Conditional  and  Joint  Entropy 


Another  special  case  of  probability  is  when  the  event  sets  or  distributions  are 
conditioned  upon  one  another.  This  dependence  between  event  probabilities  in  a  set  is 
expressed  by  conditional  probabilities  p(XilYj)  and  the  probability  of  an  event  in  set  X  is 
defined  by  the  theorem  of  total  probability  (Equation  5.12).  Similarly,  dependence 
between  the  probabilities  of  continuous  variables  is  expressed  by  a  conditional  probability 
density  p(xly).  Independent  event  sets  or  variables  can  be  represented  with  an  equivalent 
conditional  probability  set  or  a  uniform  conditional  probability  density.  Equation  5.13d 
defines  the  mean  conditional  entropy  H(XIY)  of  event  set  X  with  respect  to  event  set  Y  as 
the  average  of  the  entropy  of  the  conditional  probability  set  weighted  by  the  probability  of 
getting  that  particular  Y.  Similarly,  Equation  5.13c  defines  the  mean  conditional  entropy  of 
a  variable  x  with  respect  to  a  variable  y.  This  quantity  measures  how  certain  we  are  of  X 
on  the  average  when  we  know  Y.  Equation  5.14d  and  5.14c  define  the  joint  entropy 
H(X,Y)  of  event  sets  or  continuous  variables  X  and  Y  as  the  sum  of  the  entropy  of  Y  and 
the  mean  conditional  entropy  of  X  with  respect  to  Y,  or  vice  versa.  There  are  two 
important  results  from  this  exercise.  First,  the  entropy  of  an  event  set  or  variable 
monotonically  decreases  as  it  is  conditioned  on  other  event  sets  or  variables 
(H(XIY)  <  H(X)).  Our  uncertainty  over  an  event  set  or  variable  is  reduced  when  we  can 
base  our  decision  on  its  relation  to  other  event  sets  or  variables.  Independent  event  sets  or 
variables  cause  no  such  reduction  in  entropy  (H(XIY)  =  Ji(X)).  Second,  the  joint  entropy 
of  event  sets  or  variables  is  reduced  if  they  are  conditioned  on  one  another.  This  follows 
directly  from  the  fact  that  independent  events/variables  cause  no  reduction  in  the  conditional 
entropies  of  the  events/variables.  As  stated  above,  the  entropy  of  independent  event  sets  or 
variables  is  merely  the  sum  of  the  entropies  of  each  component: 


(}i(X,Y)dependent  =  H(Y)  +  K(XIY)  <  H(X,Y)independent  =  H(Y)  +  K(X)). 


Therefore,  the  worst-case  or  maximum  joint  entropy  can  always  be  defined  as  the  direct 
sum  of  the  component  entropies.  In  addition,  the  joint  entropy  function  (Equation  5.14) 
possesses  an  additivity  property  which  allows  the  partitioning  of  the  overall  uncertainty  of 
several  variables  into  the  uncertainty  of  the  first  plus  the  uncertainty  of  the  second 
remaining  after  knowledge  of  the  first,  etc.  [Shannon] 

Discrete  Event  Sets 


p(Xi)  =  p(XilYi)p(Yi)  +  p(XilY2)p(Y2)  + ...  +  p(XilYn)p(Y„)  (Equation  5.12) 

«(XIY)  =  -  ^p(X.IYpiogp(X.IY.)  =  ^p(Yp}i(XIY.)  <  «(X) 

j  i  j 

(Equation  5.13d) 

H(X,Y)  =  -^p(X.,Y.)logp(X.,Y.)  =  rt(Y)  +  K(XIY)  =  K(X)-hK(YK) 


i.j 


(Equation  5.14d) 


Continuous  Distributions 

H(XIY)  =  “Jp(y)  Jp(xly)log^^axay  =  ■  JJ  p(x,y)  log  ay  <  KQQ 

(Equation  5.13c) 

H(X,Y)  =  -JJ  p(x,y)  log  ay  =  Jl(Y)  +  H(XIY)  =  K(X)+K(YIX) 

(Equation  5.14c) 

However,  one  cannot  say  anything  in  comparison  of  H(X)  and  }i(Y)  by  merely  knowing 
that  they  are  conditioned  on  each  other.  Given  high  confidence  in  X,  this  does  not  mean 
we  have  high  confidence  in  Y  when  it  is  conditioned  on  X  (i.e.  its  dependence  may  be 
weak,  its  conditional  probabilities  approaching  equivalence).  The  inherent  difficulties  of 
uncertainty  comparisons  between  continuous  variables  holds  for  conditional  variables  (i.e. 
arbitrary  scaling  or  coordinate  systems).  Therefore,  a  measure  function  is  still  required  to 
properly  formulate  a  joint  entropy  or  make  any  uncertainty  comparisons. 


5.5.  Mutual  Information  and  the  Information  Rate 


The  mutual  information  I(x,y)  between  two  random  variables  is  defined  as  the 
measure  of  the  amount  of  information  given  for  one  variable  by  observing  the  other. 
Equivalently,  it  is  viewed  as  a  measure  of  the  reduction  of  uncertainty  within  one  variable 
upon  knowing  the  other.  Mutual  information  can  be  represented  in  many  equivalent  forms: 


I(x,y)  =  K(X)  -  rt(XIY)  =  K(y)  -  rt(YlX)  =  H(X)+Ji(Y)  -  H(X,Y) 

(Equation  5.15) 


l(x,y) 


oeeo 

I(y.x)  =  JJp(x.y)log^5^ 


9x3y  >  0 

(Equation  5.16) 


Note  that  mutual  information  cannot  be  negative  because  H(X)  >  H(XIY)  (Equation  5.13) 
and  is  zero  for  independent  random  variables  because  the  uncertainty  in  one  variable  is 
unaffected  by  knowing  the  other  (H(XIY)  =  Ji(X)).  [Pugachev] 


Invertible  transformations  are  a  member  of  a  special  class  of  "information 
preserving  transformations".  [Weidemann]  From  Section  5.2,  entropy  is  invariant  to 
invertible  transformations  y  =  g(x)  such  that: 

I(X,Y)  =H(X)  =  H(Y)  and  «(XIY)  =  H(YIX)  =  0 
For  any  other  random  variable  z: 

rt(XIZ)  =  «(X,Y,Z)  -  K(Z)  -  K(Y  IX,Z) 

=  ft(X,Y,Z)  -  K(Z)  -  H(XIY,Z)  =  K(YIZ) 

Therefore:  I(X,Z)  =  K(X)  -  Ji(XIY)  =  K(Y)  -  Ji(YIX)  =  I(Y,Z) 


Consequently,  invertible  transformation  of  a  random  variable  does  not  change  the  mutual 
information  it  may  have  with  any  other  random  variable.  In  practice,  however,  operations 
upon  a  random  variable  are  accompanied  by  a  loss  of  information  due  to  noise  or  other 
interference. 


Figure  5.3  General  Communication  System 


Shannon  evaluated  the  performance  of  a  general  communication  system  in  the 
presence  of  noise  (Figure  5.3).  In  this  context,  a  control  structure  can  be  considered  the 
channel  which  attempts  to  communicate  control  needs  to  the  process  while  contending  with 
error  or  noise  sources  inherent  within  the  signal  transmission.  These  error  sources  are 
represented  by  the  error  budget  of  Chapter  2.  Due  to  these  errors,  it  is  not  possible  to 
completely  reconstruct  the  transmitted  signal  by  any  operation  upon  the  received  signal  and 
information  is  lost.  Shannon  found  methods  of  transmitting  or  encoding  the  source  signal 
which  are  optimal  in  combating  noise  (detailed  below).  In  this  thesis,  the  source  is  fixed 
and  minimization  of  the  information  lost  is  the  only  possible  optimization  of  the  system. 

The  rate  of  information  transmission  (R)  across  the  channel  is  expressed  as  the 
mutual  information  between  the  transmitted  and  received  signals  (Equation  5.15,  5.16). 
The  first  defining  expression,  K(X)  -  H(XIY),  can  be  interpreted  as  the  amount  of 
information  sent  less  the  uncertainty  of  what  was  sent;  the  second,  JC(Y)  -  Jt  (YIX), 
measures  the  amount  received  less  the  part  which  is  due  to  noise.  The  ideal,  noiseless  case 
is  presented  above  as  invertible  transformation.  No  information  is  lost  by  such 
"information  preserving  transformations"  and  transmission  is  simply  the  entropy  of  the 
source  (R  =  Jt(X)).  The  worst  case  of  noise  or  interference  occurs  when  the  transmitted 
and  received  signals  are  independent.  Here,  the  rate  of  information  transmission  is  zero 
(R  =  0).  The  optimal  rate  of  transmission  for  a  system  is  one  which  maximizes  the  mutual 
information  between  the  source  and  output  of  the  channel. 
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The  capacity  (C)  of  a  noisy  communication  system  is  defined  as  the  optimal  or 
maximum  possible  rate  of  transmission  over  the  channel.  A  communication  system  reaches 
capacity  when  its  information  source  is  "matched"  to  its  channel.  Optimization  of  the  rate 
of  transmission  consists  of  minimizing  the  lost  information  due  to  noise  while  maximizing 
the  information  contained  within  the  source: 

maxl(x,y)  =  max  (K(X) -H(XIY))  =>  maxK(X)  and  minH(XIY) 

(Equation  5.17) 

Alternatively,  optimization  of  the  rate  of  transmission  consists  of  minimizing  the 
interference  while  maximizing  the  information  contained  within  the  received  signal: 

maxl(x,y)  =  max(H(Y)  -  Jt(YIX))  =  max(H(Y)  -  H(e))  max}i(Y)  and  minJt(e) 

(Equation  5.18) 

In  this  thesis,  the  source  is  fixed  and  minimization  of  the  interference  or  the  information 
lost  is  the  only  possible  optimization  of  the  control  communication  system.  Minimum  error 
variance  or  deviation  is,  therefore,  desired  for  a  Gaussian  noise  source  (Equation  5.3).  In 
the  more  general  case  of  a  bandlimited  channel  with  additive  Gaussian  white  noise,  the 
capacity  is  determined  by  the  Shannon-Hartley  Theorem: 

C  =  B  log(l  +  S/N)  (Equation  5.19) 

for  bandwidth  B  and  average  signal  (S)  and  noise  (N)  power 

A  large  bandwidth  and  signal-to-noise  ratio  (SNR)  is  desired  in  order  to  reach  the  greatest 

capacity  for  the  channel.  This  theorem  also  indicates  that  a  noiseless  channel  has  infinite 

capacity.  To  reach  the  limiting  rate  of  transmission  of  Equation  5.19,  the  source  must 

approximate  bandlimited  white  noise  (i.e.  colored  noise)  in  all  statistical  properties.  This 

ideal  signalling  scheme  using  noiselike  signals  approaches  the  channel  capacity  as  the 

transmission  delay  and  number  of  signals  approaches  infinity.  However,  in  practice,  we 

seldom  try  to  achieve  the  maximum  theoretical  rate  of  transmission  over  the  analog  portion 

of  a  channel;  rather,  we  keep  this  portion  of  the  system  reasonably  simple.  [Shannon] 


122 


By  Shannon's  Fundamental  Theorem,  the  capacity  for  a  noisy  channel  determines 
the  theoretical  upper  limit  to  the  system's  rate  of  information  transfer  with  arbitrarily  small 
decision  error.  If  the  entropy  of  a  source  is  less  than  or  equal  to  the  system's  capacity 
(H(X)  <  C),  then  there  exists  an  encoding  scheme  for  transmission  across  the  channel 
which  achieves  an  arbitrarily  small  probability  of  error.  This  is  possible  by  sending  the 
information  in  a  redundant  form  and  performing  a  statistical  analysis  on  the  different 
received  versions  of  the  message.  This  reduction  in  decision  error  causes  a  subsequent 
reduction  in  the  lost  information  due  to  noise  (i.e.  fl(XIY)  0)  and,  hence,  an  increase  in 
the  rate  of  transmission  for  the  channel  (i.e.  R  — >  rt(X)).  However,  these  benefits  are  at  a 
cost  of  increased  complexity  and  either:  hardware  for  physical  redundancy,  or  delay  for 
repeated  messages  over  the  same  channel.  The  cost  of  errorless  transmission  is  infinite 
communication  channels  or  infinite  delay  time.  Hence,  it  is  not  possible  to  transmit 
information  over  a  noisy  channel  without  some  probability  of  error  due.  If  the  source 
entropy  is  greater  than  the  system's  capacity,  then  information  of  an  amount  H(XIY)  > 
H(X)  -  C  is  necessarily  lost  during  transmission  due  to  the  definition  of  channel  capacity. 
Errorless  transmission  is  not  theoretically  possible  in  this  case.  In  conclusion,  a  system 
designer  always  tries  to  optimize  the  rate  of  transmission  to  the  channel's  capacity  by 
maximizing  source  information  and  by  minimizing  information  losses  due  to  interference 
through  redundancy  encoding.  Shannon  further  adds: 

An  approximation  to  the  ideal  would  have  the  property  that  if  the  signal  is  altered  in 
a  reasonable  way  by  the  noise,  the  original  can  still  be  recovered.  This  is 
accomplished  at  the  cost  of  a  certain  amount  of  redundancy  in  the  coding.  If  the 
source  already  has  a  certain  redundancy...,  this  redundancy  will  help  combat  noise. 

For  example,  in  a  noiseless  telegraph  channel  one  could  save  about  50%  in  time  by 
proper  encoding  of  the  messages.  This  is  not  done  and  most  of  the  redundancy  of 
English  remains  in  the  channel  symbols.  This  has  the  advantage,  however,  of 
allowing  considerable  noise  in  the  channel.  A  sizable  fraction  of  the  letters  can  be 
received  incorrectly  and  still  be  reconstructed  by  the  context.  In  fact  this  is 
probably  not  a  bad  approximation  to  the  ideal ...  [Shannon] 
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5.5.1.  Capacity  of  Redundant  Stractures  for  Fault-Tolerance 


Figure  5.4  System  State  Decision  or  Information  Channel 

Here,  the  fault-tolerance  of  a  redundant  control  structure  in  the  presence  of  noise  is 
evaluated  (Figure  5.4).  In  this  context,  a  redundant  structure  can  be  considered  the  channel 
which  attempts  to  correctly  determine  or  communicate  the  current  state  of  the  system  (S) 
while  contending  with  error  or  noise  sources  inherent  within  the  decision.  The  system 
states  and  error  sources  possible  for  a  redundant  structure  can  be  identified  by  a  decision 
tree  (e.g.  Figure  4.18  and  4.30).  This  decision  tree  also  represents  explicitly  the  discrete 
communication  or  information  channel  for  a  redundant  stmcture  where:  the  input  (X)  is  the 
prior  information,  the  output  (Y)  is  the  system  states,  and  the  channel  is  the  decision  paths 
between  input  and  output  as  dictated  by  the  conditional  knowledge  of  the  FDI  scheme.  Due 
to  decision  errors  in  the  FDI  scheme,  it  is  not  possible  to  completely  know  the  current 
system  state  by  any  operation  upon  the  parity  vector  and  information  can  be  lost.  The 
certainty  of  these  decisions  (min  H(YIX)),  the  granularity  or  number  of  the  system  states 
(max  Jt(Y)),  and  the  extent  of  our  a  priori  knowledge  (max  It  (X))  determines  the  capacity 
(C)  of  the  system  for  fault-tolerance  (Equations  5.17, 5.18): 

C  =  max  R  =  max  (J€(X)  -  JKXIY))  =  max(}t(Y)  -  K(YIX))  =» 
max  H(Y),  max  H(Y),  and  min  }t(YIX) 
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The  rate  of  information  transmission  (R)  across  the  discrete  channel  is  optimized  by 
maximizing  the  mutual  information  between  the  input  and  output  states.  First,  the  extent 
of  our  a  priori  or  input  knowledge  K(X)  is  maximized.  The  entropy  of  the  exponential 
reUability  distribution  is  defined  by  the  MTBF  (Equation  5,4);  any  increase  in  the  MTBF 
causes  a  logarithmic  increase  in  the  input  knowledge.  Hence,  a  more  reliable  control 
structure  with  a  greater  MTBF  is  desired.  Second,  system  or  output  knowledge  Jt(Y)  is 
maximized  by  increasing  the  granularity  or  number  of  the  output  system  states  (see 
Section  5.1.  on  entropy  of  discrete  event  sets).  In  Section  5.6.1.,  we  shall  find  that 
redundancy  provides  this  increase.  However,  the  gains  of  this  additional  knowledge 
cannot  be  realized  (and  can  even  be  at  a  detriment)  if  it  is  accompanied  by  poor  utilization  or 
transmission  losses.  The  channel  loss  or  uncertainty  of  the  FDI  scheme  is  minimized  by 
approaching  the  ideal,  matched  transmission  scheme  where:  H(XIY)  =  3i(YIX)  =  Oand 
R  =  H(X)  =  Jt(Y).  This  corresponds  to  two  possible  ideal  FDI  schemes  for  redundant 
structures:  the  perfect-case  of  errorless  decision,  where  pOO  =  pi  1  =  1  and  pOl  =  plO  =  0; 
and  the  worst-case  of  complete  decision  error,  where  p(X)  =  pi  1  =  0  and  pOl  =  plO  =  1. 
Proper  utilization  of  a  redundant  structure  would  also  minimize  the  error  variance  of  the 
controlled  parameter  (Equation  5.18),  which  we  shall  find  corresponds  with  the  perfect- 
case  of  errorless  decision  (Section  6.2).  A  large  failure  signal-to-noise  ratio  (SNR)  is 
required  in  order  to  approach  the  perfect-case.  In  conclusion,  the  capacity  or  optimal  rate 
of  information  transmission  of  a  redundant  structure  for  fault-tolerance  is  reached  by 
utilizing  a  highly  reliable  control  structure  at  the  greatest  level  of  redundancy  while 
maintaining  near-perfect  FDI  at  all  levels  of  operation.  In  practice,  the  capacity  is  never 
reached  due  to  cost  and  other  limitations  not  included  within  an  analysis  of  information 
transmission.  The  key  is  to  strive  for  higher  transmission  rates  through  reliability, 
redundancy,  or  better  FDI  performance  while  minimizing  any  important  cost  functions. 
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5.6.  Entropy  Analysis  of  Redundant  Structures 


As  an  example  entropy  analysis  related  to  our  study,  redundant  control  structures 
will  be  examined  and  compared  with  respect  to  a  system  or  joint  entropy  Jtsystem(t)  which 
is  defined  by  the  entropy  of  the  system  state  H(S)  and  the  conditioned  error  function  3i(e) 
for  a  given  mission  time  (t).  A  table  of  the  conditional  error  entropy  Ji(e)  for  given  system 
states  has  been  compiled  in  Figure  5.5  to  simplify  these  formulations.  A  redundant 
structure  operated  with  a  FDI  scheme  (e.g.  the  DDRS  and  TRS  of  Chapter  4)  can  be  further 
analyzed  with  respect  to  the  rate  of  information  transmission  for  the  FDI  decision  channel. 
These  two  system  entropies  represent  the  a  priori  uncertainty  inherent  within  a  redundant 
structure  for  a  given  time  t  of  the  mission.  A  control  structure  with  a  decision  scheme  of 
maximum  rate  and  minimum  error  variance  is  optimal  with  respect  to  entropy  (Section  5.5. 
and  5.5.1). 

A  table  of  the  conditional  error  entropy  rt(e)  is  presented  below  for  each  possible 
system  state  of  the  redundant  stmctures  which  are  analyzed.  The  probability  distribution 
for  the  error  is  derived  in  Section  3.1.1.  for  a  system  state  with  n  failed  and  m  working 
structures  (Equation  3.3  -3.7).  The  probability  distribution  for  a  single  working  control 
structure  is  represented  as  Gaussian  with  zero  mean  and  standard  deviation  c 
(a  =  0.3276%FS,  Figure  2.4).  The  error  distribution  for  a  redundant  structure  is 
represented  as  either:  Uniform  with  a  base  width  of  a,  or  Gaussian  with  zero  mean  and 
standard  deviation  Os-  The  entropy  H(e)  for  these  distributions  is  derived  in  Equations  5.2 
and  5.3.  The  conditional  error  function  when  three  structures  are  working  is  arbitrarily 
chosen  as  the  measure  function  m(x)  and  therefore  its  entropy  will  represent  zero 
uncertainty.  The  conditional  error  entropy  with  respect  to  this  measure  function  is 
represented  as  Jiin(e)  in  the  table.  Note  that  the  entropy  of  corresponding  system  states  is 

reduced  with  each  level  of  redundancy. 
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Svstem  State 

n  in 

Probabilitv  Densitv 

im 

UmiSl 

Single  Structure,  Working 

0  1 

Gaussian 

Gs  =  o 

logCcy  2kc) 

0.55 

Single  Structure,  Not  Working 

1  0 

Uniform 

a  =  2FS 

log(2FS) 

5.54 

Dual  Structure,  Both  Working 

0  2 

Gaussian 

Os  =  a/V2 

logiG^fHe) 

0.20 

Dual  Structure,  One  Working 

1  1 

Uniform 

a  =  FS 

log(FS) 

4.85 

Dual  Structure,  None  Working 

2  0 

Gaussian 

as  =  FS/V6 

log(FS‘\/^te/3) 

5.37 

Triple  Structure,  All  Working 

0  3 

Gaussian 

Gs  =  a/V3 

log(aV27te/3) 

0 

Triple  Structure,  Two  Working 

1  2 

Uniform 

a  =  2FS/3 

log(2  FS/3) 

4.45 

‘■Triple  Structure,  One  Working 

2  1 

Gaussian 

Os  =  FSV2/V27  log(2FsV:ce/27) 

4.97 

Triple  Structure,  None  Working 

3  0 

Gaussian 

Os  =  FS/3 

log(FsV27te/9) 

5.17 

Figure  5.5  Error  Entropy  For  Each  System  State 


In  Appendix  B,  an  example  entropy  analysis  for  a  single  and  dual  redundant 
control  structure  with  respect  to  the  failure  time  and  conditioned  error  functions  for  a  given 
mission  length  T  is  also  provided.  This  analysis  examines  the  use  of  the  continuous  failure 
time  function  as  the  basis  for  system  uncertainty.  Results  are  similar  to  those  found  in  this 
section  but  are  much  more  difficult  to  reach. 


127 


r 


5.6.1.  Entropy  Analysis  of  Redundant  Structures  without  FDI 


This  section  examines  the  entropy  of  redundant  structures  which  do  not  perform 
fault  detection  and  isolation.  A  system  or  joint  entropy  Jisysteni(t),  which  represents  the 
a  priori  uncertainty  inherent  within  a  redundant  structure  for  a  given  time  t  of  the  mission, 
is  formulated  from  the  exponential  reliability  distribution  and  the  Gaussian  error  function 
conditioned  upon  the  system  state  of  the  structure.  For  example,  a  dual  redundant  structure 
without  any  FDI  scheme  has  a  discrete  set  of  system  states:  both  structures  working,  single 
fault  of  either  structure,  and  both  structures  inoperative.  The  size  of  the  event  set  is  further 
increased  with  the  number  (N)  of  redundant  structures.  It  is  assumed  that  no  decision  is 
made  regarding  the  current  state  of  the  system  and  that  all  control  structures  are  included 
within  the  voting/estimation  algorithm  at  any  given  time  t  of  the  mission.  A  FDI  and 
reconfiguration  scheme  would  add  more  possible  states/events  for  the  redundant  structure 
as  dictated  by  the  decision  trees  presented  in  Chapter  4  (see  Figures  4.18  and  4.30). 
System  entropy  is  formulated  as  the  joint  entropy  of  the  discrete  set  S  of  system  states  and 
the  continuous  Gaussian  or  Uniform  density  of  the  conditional  error  e  (Figure  5.5): 

^systemCO  =  JC(£,S  It)  =  Jt(S  It)  +  H(£  IS,t)  (Equation  5.20) 

The  entropy  of  the  system  state  set  H(S  It)  is  formulated  directly  from  Shannon's 
equation  (Equation  5.1)  for  discrete  events  and  exhibits  a  characteristic,  "humped"  curve. 
The  entropy  peaks  just  before  reaching  the  MTBF  for  a  single  structure  when  all  events  are 
equally  certain  and  subsequently  approaches  zero  as  we  become  more  and  more  certain  that 
all  structures  have  failed  (Q(“*)=l).  Thus,  the  contribution  to  the  system  entropy  becomes 
negligible  with  large  mission  times.  The  entropy  of  the  system  state  set  increases 
monotonically  with  the  level  of  redundancy  due  to  the  increased  size  of  the  structure  event 
set.  The  failure  rate  of  the  example  reliability  budget  (0.(X)0142,  Figure  3.7)  is  used  in 
producing  the  following  figures. 


Figure  5.6  Entropy  of  the  System  State  for  Redundant  Structures 


Single  Struchire 

H(S  It)  =  -RgO)  log  RgO)  -  (1  -  Rs(t))  log  (1  -  Rs(t)) 

(Equation  5.21) 


Dual  Redundant  Structure 

K(S  It)  =  -  Rs(t)  log  Rs(t)  -  2  RgCt)  Q^Ct)  log  2  R^Ct)  Q^Ct)  -  Qs(t)  log  Qs(t) 

(Equation  5.22) 


Triple  Redundant  Structure 

rt(S  It)  =  -  Rg  (t)  log  Rg(t)  -  3  Q5(t)  Rg(t)  log  3  Q5(t)  Rg(t)  (Equation  5.23) 

-  3  Rs(t)  Qg(t)  log  3  Rs(t)  Qs(t)  -  Qg(t)  log  Qg(t) 


The  mean  conditional  entropy  ft(£  IS,t)  of  the  oror  function  is  defined  as  the 
uncertainty  of  the  error  for  a  given  state  averaged  over  all  possible  states  of  the  structure 
(Equations  5.24  -  5.26).  The  entropy  of  the  error  function  for  each  system  state  is 
tabulated  in  Figure  5.5  with  respect  to  a  measure  function  m(x).  The  conditional  error 
function  when  three  structures  are  working  is  arbitrarily  chosen  as  the  measure  function 
m(x)  and  therefore  its  entropy  will  represent  zero  uncertainty.  In  Figure  5.7,  the  mean 
conditional  entropy  for  the  error  monotonically  increases  over  the  mission  time  from  the 
initial  system  state  where  all  structures  are  working  (Gaussian  with  tight  variance)  to  the 
worst-case  system  state  where  all  structures  have  failed  (Uniform  over  fullscale  range). 

For  the  majority  of  the  mission,  the  mean  conditional  entropy  is  found  to  increase  with 
additional  levels  of  redundancy  because  of  the  corrupting  effect  of  any  single  controller 
failure  to  the  estimation  algorithm.  However,  redundancy  does  afford  a  lower  initial  and 
final  entropy  due  to  the  reduced  variance  of  the  error  function  upon  averaging  the  controlled 
parameter.  Mean  conditional  entropy  necessarily  dominates  the  joint  or  system  entropy 
}isystem(t)  due  to  the  continuous  nature  of  the  error  function  (Figure  5.8). 

Single  Structure 

Kiz\  S,t)  =  R3(t)  rt(el  Working)  +  Q3(t)  J€(el  Not  Working)  =  R3(t)  *  0.55  +  Q3(t)  *  5.54 

Dual  Redundant  Structure 

H(el  S,t)  =  R3(t)  H(el  Both  Working)  +  2  R5(t)  Q3(t)  K(el  One  Working)  +  C^(t)  H(el  None  Working) 
«(el  S,t)  =  R3^(t)  *  0.20  +  2  R3(t)  Q3(t)  *  4.85  +  Q^(t)  *  5.37 

Triple  Redundant  Structure 

H(elS,t)  =  3  03(0  Rg  (t)  *  4.45  +  3  R3(t)  Q3^(t)  *  4.97  +  QgV)  *  5.17 


(Equations  5.24  -  5.26) 
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Figure  5.7  Mean  Conditional  Entropy  of  the  Error  Function 
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Figure  5.8  Joint  or  System  Entropy  of  the  Control  Structure 
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5.6.2.  Entropy  Analysis  of  a  Single  Control  Structure  with  Fault  Detection 

In  this  section,  the  relative  merit  of  a  fault  detection  scheme  for  a  single  control 
structure  is  examined.  In  the  exercises  of  this  thesis,  it  has  been  assumed  that  system 
shutdown  is  not  a  possible  system  state.  Hence,  no  matter  what  decision  is  made  by  a  fault 
detection  scheme,  the  control  structure  will  be  utilized  in  all  estimates  of  the  controlled 
parameter  for  the  length  of  the  mission.  The  only  benefit  of  a  fault  detection  scheme  in  this 
situation  is  to  alert  the  operator  of  possible  failure.  Three  fault  detection  schemes  of 
differing  performance  are  examined  with  respect  to  entropy  and  information  transmission: 
the  perfect  case  of  errorless  detection,  the  worst  case  of  complete  misinformation,  and  the 
poor  or  noisy  case  which  results  in  no  information.  The  failure  rate  of  the  example 
reliability  budget  (0.000142,  Figure  3.7)  and  the  conditional  error  entropies  of  Figure  5.5 
are  used  in  producing  the  following  figures.  In  each  case,  the  following  are  derived  and 
compared: 

1)  Outcome  entropy  rtYl*,  mean  conditional  entropy  JiCl*,  and  rate  of  information 
transmission  RTl*  =  JtYl*  -  JtCl*  for  the  FDI  channel  or  decision. 

2)  System  state  entropy  JiSl*,  mean  conditional  entropy  of  the  estimation  error 
KEI*,  and  system  or  joint  entropy  HTl*  =  HSl*  +  HEl*. 

A  control  structure  with  a  decision  scheme  of  maximum  rate  and  minimum  error  variance  is 
optimal  with  respect  to  entropy  (Section  5.5.  and  5.5.1). 

Note:  *  represents  a  suffix  (e.g.  pc,  wc,  poor)  used  to  distinguish  the  results  for  different 
FDI  schemes. 

Note:  Results  for  a  structure  without  FDI  is  represented  without  a  suffix. 
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Eerfect  Fault  Detection  rPm  =  Pn  =  1 .  Pm  =  Pin  =  0^ 


3VY1*  -  pr{decide  structure  working)  log  (pr{decide  structure  working}) 

-  pr{decide  structure  failed)  log  (pr{decide  structure  failed)) 

HYlpc  =  -  (R  Poo  +  Q  Poi)  log  (R  Poo  +  Q  Poi)  -  (R  Pio  +  Q  Pii)  log(R  Pio  +  Q  Pii) 

HYlpc  =  -RlogR  -  QlogQ  =  ftSl 

KClpc  =  -  R  (Poo  log  Poo  +  Pio  log  Pio)  -  Q  (Pii  log  Pii  +  Poi  log  Poi)  =  0 

RTlpc  =  K(Y)  -  H(YIX)  =  KYlpc  -  ftClpc  =  HSl 
(Equations  5.27  -  5.29) 

Worst  Fault  Detecrinn  (P^  =  Pn  =  0.  Pm  =  P-m  =  n 
JtYlwc  =  -RlogR  -  QlogQ  =  HSl 

HClwc  =  0;  RTlwc  =  KSl 
(Equations  5.30  -  5.32) 


Poor  Fault  Detection  rPm  =  P|  i  =  P^  =  Pjn  =  0.5i 

JtYlpoor  =  log  2  ^  HSl 
rtClpoor  =  log  2 ;  RTlpoor  =  0 
(Equations  5.33  -  5.35) 
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Single  Structure  with  anv  FD  Scheme  and  No  Shutdown 
JiSl*  =  -  R  (Poo  +  Pio)  log(R  (Poo  +  Pio))  -  Q  (Pll  +  Poi)  log(Q  (Pii  +  Poi)) 
KSl*  =  -RlogR  -  QlogQ  =  ftSl 


HEl*  =  R  Ji(e  I  Working)  -  Q  K(e  I  Failed)  =  R  *  0.55  +  Q  *  5.54  =  «E1 

KTl*  =  rtTl 
(Equations  5.36,  5.37) 


The  inclusion  of  any  type  of  fault  detection  scheme  has  no  effect  on  the  mean 
conditional  entropy  of  the  error  because  the  control  structure  is  utilized  inregardless  of  the 
decided  system  state. ,  Hence,  system  performance  (in  terms  of  the  error  variance  of  the 
controlled  parameter)  is  independent  of  the  fault  detection  scheme.  Also,  perfect  and  worst 
case  fault  detection  cannot  be  distinguished  from  each  other,  nor  from  the  case  without  fault 
detection.  However,  it  is  indicated  that  a  poor  fault  detection  scheme  is  not  acceptable  due 
to  its  zero  rate  of  information  transmission  (i.e.  the  decision  is  independent  from  the  system 
and  is,  therefore,  equally  informative  as  flipping  a  coin).  The  conclusion  from  this  analysis 
is  that  no  fault  detection  scheme  should  be  utilized  for  a  single  control  structure  without 
shutdown  capability.  Obviously,  this  conclusion  is  a  bit  premature  without  some  analysis 
of  cost  functions  other  than  error  variance  (e.g.  operator  safety,  cost  of  implementation). 
This  conclusion  is  quite  common  for  any  consumable  process  which  is  simply  discarded  or 
replaced  upon  failure.  For  some  applications,  however,  the  cost  of  operator  safety  dictates 
the  necessity  of  quick  detection  of  system  failure  so  that  the  operator  may  respond  with 
protective  measures.  The  predicted  mission  outcome  from  this  analysis  is  that  the  control 
structure  will  operate  with  the  specified  variance  (o^)  until  the  MTBF.  Therefore,  mission 
length  must  be  less  than  the  MTBF  and  would  optimally  be  set  at  the  time  of  maximum 
system  state  entropy  (i.e.  the  hump  of  Figure  5.6). 
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The  relative  merit  of  a  fault  detection  scheme  for  a  single  control  structure  is  now 
examined  where  system  shutdown  is  a  possible  system  state.  System  shutdown  is  initiated 
immediately  upon  detection  of  a  fault.  Here,  the  benefit  of  a  fault  detection  scheme  is  to 
avoid  faulty  performance  or  product  by  simply  ending  the  mission.  The  tabulation  of  mean 
conditional  entropy  of  the  error  function  (Figure  5.5)  must  be  expanded  to  cover  these 
additional  states  (Figure  5.9).  Note  that  error  entropy  is  zero  during  system  shutdown. 
Decision  entropies  and  information  rates  for  the  FDI  channel  remain  unchanged  since  the 
two  decisions  (structure  working,  structure  failed)  are  unchanged. 


Svstem  State 

v(S) 

Normal  Operation 

RPoo 

0.55 

System  Shutdown 

RPlO  +  QPll 

0 

Missed  Detection 

QPol 

5.54 

Figure  5.9  Error  Entropy  For  System  States 

Three  fault  detection  schemes  of  differing  performance  are  examined  with  respect  to 
entropy  and  information  transmission:  the  perfect  case  of  errorless  detection,  the  worst  case 
of  complete  misinformation,  and  the  poor  or  noisy  case  which  results  in  no  information. 

Perfect  Fault  Detection  (Pnn  =  =  1.  =  Pjn  =  0) 

JiSlpc  =  -  R  Poo  log(R  Poo)  -  (R  Pio  +  Q  Pii)  log(R  Pio  +  Q  Pii)  -  Q  Poi  log(Q  Poi) 

HSlpc  =  -RlogR  -  QlogQ  =  «S1 

HElpc  =  R  Poo  rt(e  I  Working)  -  (R  Pio  +  Q  Pi  l)  I  Shutdown)  -  Q  Poi  ft(e  I  Failed) 

HElpc  =  R  *  0.55  «  0 
(Equations  5.38,  5.39) 


Worst  Fault  Detection  (P^  =  Pj^  =  0.  =  n 


SiSlwc  =  -RlogR  -  QlogQ  =  KSl 

HElwc  =  Q*5.54  »  «S1 
(Equations  5.40,  5.41) 


Poor  Fault  Detection  (Pqq  =  P2i=  PQi  =  Pjn  =  Q.51 

HSlpoor  =  -0.5 RlogR  -  0.5  QlogQ  +  log2  >  ftSl 

HElpoor  =  0.5  *  (R  *  0.55  +  Q  *  5.54)  =  1/2  HEl 
(Equations  5.42,  5.43) 


Figure  5.10  Error  Entropy  for  Structure  with  Shutdown 


In  this  example  formulation,  the  perfect  and  worst  case  of  fault  detection  are  again 
indistinguishable  in  their  rate  of  information  transmission  and  poor  fault  detection  is  found 
to  have  zero  rate  of  transmission.  With  the  new  set  of  error  entropies  for  the  additional 
system  state  of  shutdown  (Figure  5.9),  the  perfect  case  of  errorless  fault  detection  is 
determined  to  provide  the  smallest  average  conditional  entropy  for  estimation  error.  The 
conclusion  from  this  analysis  is  that  perfect  fault  detection  is  optimal  for  a  single  control 
structure  with  shutdown  capability.  However,  this  analysis  also  indicates  that  any  fault 
detection  scheme  (even  worst  case)  is  preferable  to  none.  Initially,  the  error  entropy  for  the 
worst  case  detection  scheme  is  actually  the  smallest  at  zero.  This  is  because  no  cost  is 
assigned  to  the  case  of  false  alarm.  The  worst  case  scheme  of  misinformation  would 
immediately  stop  the  mission  due  to  its  ignorance.  The  following  analysis  addresses  this 
problem.  Here,  the  system  state  of  false  alarm  is  given  the  same  weight  as  missed 
detection  in  the  tabulation  of  entropy  for  the  error  function  (Figure  5. 1 1). 


Svstem  State 

D(S1 

iWei 

Normal  Operation 

RPoo 

0.55 

False  Alarm 

RPlO 

5.54 

Fault  Detection 

QPll 

0 

Missed  Detection 

QPol 

5.54 

Figure  5.11  Error  Entropy  For  System  States 


Worst  Fault  Detection:  KElwc  =  5.54  >  HSl  (Equation  5.44) 

Poor  Fault  Detection:  HElpoor  =  0.5  *  (R  *  (0.55  +  5.54)  +  Q  *  5.54)  (Equation  5.45) 
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Figure  5.12  Error  Entropy  for  Structure  with  Shutdown  and  False  Alarm  Cost 

Perfect  fault  detection  remains  optimal.  The  only  result  modified  is  that  the  mean 
conditional  entropy  of  the  error  is  increased  for  the  poor  and  worst  cases  of  fault  detection 
(Equations  5.54,  5.55).  Initially,  a  structure  with  a  fault  detection  scheme  can  be 
considered  less  optimal  than  a  structure  without  FDI.  As  the  mission  progresses,  a  fault 
detection  scheme  becomes  desirable.  The  greater  the  decision  error  for  the  detection 
scheme,  the  further  in  the  mission  for  the  scheme  to  become  useful.  The  perfect  detection 
scheme  would  be  utilized  immediately.  The  worst  case  scheme  of  misinformation  is  never 
utilized.  The  poor  or  noisy  fault  detection  scheme  is  only  acceptable  after  the  probability  of 
a  failure  is  already  high.  This  mimics  the  threshold  variation  which  occurs  with  a  fault 
detection  scheme  based  on  the  Bayes  criterion.  The  threshold  is  set  very  high  initially 
(when  the  reliability  is  very  high)  such  that  false  alarms  are  minimized.  As  the  mission 
progresses,  the  threshold  is  reduced  to  zero  in  order  to  sensitize  the  test  to  fault 
occurrences.  Therefore,  this  cost  analysis  allows  determination  of  whether  a  fault  detection 
scheme  is  acceptable  and,  if  so,  when  during  the  mission  it  should  be  utilized. 
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5.6.3.  Entropy  Analysis  of  Dual  Redundant  Structures 


In  this  section,  the  relative  merit  of  a  fault  detection  scheme  for  redundant  control 
structures  is  examined.  In  the  exercises  of  this  thesis,  it  has  been  assumed  that  system 
shutdown  is  not  a  possible  system  state.  Hence,  no  matter  what  decision  branch  is 
followed  by  a  fault  detection  scheme,  at  least  one  control  structure  will  be  utilized  in  the 
estimates  of  the  controlled  parameter  for  the  length  of  the  mission.  The  benefit  of  a  fault 
detection  scheme  in  this  situation  is  to  alert  the  operator  and  to  isolate  any  possible  failure 
so  that  continuous  operation  can  be  maintained  with  the  working  controller.  Many  fault 
detection  schemes  of  differing  performance  are  examined  with  respect  to  entropy  and 
information  transmission.  The  failure  rate  of  the  example  reliability  budget  (0.000142, 
Figure  3.7)  and  the  conditional  error  entropies  of  Figure  5.5  are  used  in  producing  the 
following  figures.  In  each  case,  the  following  are  derived  and  compared: 

1)  Outcome  entropy  KY#*,  mean  conditional  entropy  HC#*,  and  rate  of  information 
transmission  RT#*  =  JiY#*  -  JtC#*  for  the  FDI  channel  or  decision. 

2)  System  state  entropy  KS#*,  mean  conditional  entropy  of  the  estimation  error 
JtE#*,  and  system  or  joint  entropy  H#*  =  HS#*  +  HE#*. 

A  control  structure  with  a  decision  scheme  of  maximum  rate  and  minimum  eiror  variance  is 
optimal  with  respect  to  entropy  (Section  5.5.  and  5.5.1). 

Note:  *  represents  a  suffix  (e.g.  pc,  wc,  poor)  used  to  distinguish  the  results  for  different 
FDI  schemes.  Results  for  a  redundant  stracture  without  FDI  is  represented  without 
this  suffix. 

Note:  #  represents  a  numerical  suffix  (e.g.  1,  2,  3)  used  to  distinguish  the  results  for  a 
different  number  N  of  redundant  structures. 
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First,  a  dual  structure  without  simplex  FDI  schemes  (Figure  4.18)  is  examined  for 
four  cases  of  duplex  fault  detection:  the  optimized  case  of  the  Bayes  criterion,  the  static 
threshold  case  of  the  Neyman-Pearson  criterion,  the  worst  case  of  complete 
misinformation,  and  the  poor  or  noisy  case  which  results  in  no  information.  Only  two 
decisions  or  outcomes  are  possible  (both  working,  dual  or  single  fault)  because  no  simplex 
FDI  is  implemented.  A  failure  SNR  of  five  (used  in  previous  exercises)  is  assumed.  The 
conditional  probability  of  a  hidden  dual  fault  or  common  bias  given  that  a  dual  fault  has 
occurred  is  represented  here  as  Pdf*  Also,  refer  to  Equations  4.20  -  4.24  for  the  system 
state  probabilities. 

HY2*  =  -  pr{decide  both  working}  log  (pr{decide  both  working}) 

-  pr{decide  dual  or  single  fault}  log  (pr{decide  dual  or  single  fault}) 

HYl*  =  -(R2Poo  +  2RQPoi  +  Q2PdfPoO  +  Q2(1-Pdf)Poi) 

*  log  (r2  Poo  +  2  R  Q  Poi  +  Pdf  Poo  +  (1  -  Pdf)  Poi) 

-  (r2  Pio + 2  R  Q  Pii  +  q2  Pdf  Pio  +  (1  -  Pdf)  Pii) 

*  log  (r2  Pio  +  2  R  Q  Pii  +  q2  Pdf  Pio  +  (1  -  Pdf)  Pii) 

KC2*  =  -  r2  (Poo  log  Poo  +  Pio  log  Pio)  -  2  R  Q  (Pi  1  log  Pi  i  +  Poi  log  Poi) 

-  (Pdf  Poo  log  Pdf  Poo  +  Pdf  Pio  log  Pdf  Pio  +  (l  -  Pdf)  Pii  log  ((i  -  Pdf)  Pii) 

+  (1- Pdf)  Poi  log  (d  -  Pdf)  Poi)) 

HS2*  =  -  Psi  log  Psi  -  Ps2  log  Ps2  -  Ps3  log  Ps3  -  PS4  log  Ps4  -  PS5  log  Ps5 

iiE2*  =  Psi  rt(e  IS  1)  +  PS2  H(e  IS2)  +  Ps3  rt(e  IS3)  +  Ps4  H(e  IS4)  +  Pss  H(e  IS5) 
HE2*  =  Psi  *  0.2  +  Ps2  *  4.85  +  Ps3  *  5.37  +  Ps4  *  0.55  +  Ps5  *  5.54 


(Equations  5.46  -  5.49) 


Perfect  Duplex  Fault  Detection  (Pqq  =  Pix  =  1.  Pr^  =  P.IQ  =  Pp^  =  0^ 


HY2pc  =  -R2logR2  -  (2RQ  +  Q2)log(2RQ  +  Q2) 
«C2pc  =  0 ;  RT2pc  =  JtY2pc 
HS2pc  =  -R2logR2  -  RQlogRQ  -  (R Q  +  Q2) log (R Q  +  Q2) 
JiE2pc  =  R2  *  0.2  +  R  Q  *  0.55  +  (R  Q  +  Q2)  *  5.54 

(Equations  5.50  -  5.54) 


Worst  Duplex  Fault  Detection  (Pm  =  P^  =  Pnp  =  0«  Ppi  =  Pjn  =  1) 

3iY2wc  =  (2RQ  +  Q2)log(2RQ  +  Q2)-R2logR2 
HC2wc  =  0 ;  RT2wc  =  H  Y2wc 
Ji:S2wc  =  -2RQlog(2RQ)-Q2logQ2  -R2logR2 
KE2wc  =  2  R  Q  *  4.85  +  Q2  *  5.37  +  R2  *  0.55 

(Equations  5.55  -  5.59) 


Poor  Fault  Detection  (Pm  =  Pr[  =  Pm  =  Pjji  =  0.5.  Pnr?  =  0) 


HY2poor  =  -(R2  +  2RQ+Q2)*log(0.5*(R2  +  2RQ  +  Q2))  =  log2 
}iC2poor  =  log  2  ;  RT2poor  =  0 

KS2poor  =  -  0.5  *  R2  log(0.5  *  R2)  -  R  Q  log  (R  Q)  -  0.5  *  Q2  log(0.5  *  Q2) 

-  0.5  *  (R2  +  R  Q)  log(0.5  *  (R2  +  R  (2))  -  0.5  *  ((^2  +  R  Q)  log(0.5  *  (Q2  +  R  Q)) 

J€E2poor  =  R2  *  0.1  +  R  Q  *  4.85  +  Q2  *  2.685  +  (R2  +  R  Q)  *  0.275  +  (Q2  +  R  Q)  *  2.77 


(Equations  5.60  -  5.64) 


Outcome  Entropy  for  the  FDI  Channel 
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Figures  5.16,  5.17 
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Results 


Outcome  Information 
Missing  Information 
Transmission  Rate 


poor  =  log  2  >  np  >  bayes  >  pc  =  wc 
poor  =  log  2  >  np  >  bayes  >  pc  =  wc  =  0 
pc  =  wc  >  bayes  >  np  >  poor  =  0 


Error  Entropy 
System  Entropy 


wc  >  poor  >  pc  =  bayes  =  np 
poor  >  wc  >  np  >  pc  =  bayes 


Perfect  and  worst  case  fault  detection  are  found  to  provide  the  highest  rate  of 
information  transmission,  while  poor  or  noisy  fault  detection  has  a  zero  transmission  rate. 
The  Bayes  criterion  allows  a  slightly  higher  information  rate  than  the  Neyman-Pearson  (np) 
criterion,  both  of  which  are  near  optimal.  Note  the  improvement  of  the  Bayes  criterion  at 
reducing  the  amount  of  lost  or  missing  information  due  to  noise  or  error  (HC2bayes  < 
5iC2np).  In  comparison  with  a  single  structure  without  shutdown,  duplex  fault  detection 
has  a  higher  transmission  rate  initially  due  to  the  additional  outcome  information  and  a 
lower  rate  beyond  the  MTBF  due  to  the  inability  to  distinguish  between  dual  and  single 
failures.  Of  course,  the  duplex  scheme  can  incorporate  these  simplex  schemes  in  order  to 
improve  its  fault  tolerance  (see  below). 

Perfect,  Bayes,  and  Neyman-Pearson  fault  detection  provide  the  lowest  mean 
conditional  error  entropy  over  the  length  of  the  mission.  The  mean  error  entropy  for  these 
schemes  is  less  than  or  equal  to  the  mean  error  entropy  of  a  single  structure  (JtElpc  < 
KEl,  Figure  5.16).  Initially,  they  are  improved  due  to  the  reduced  error  variance  from  the 
estimation  average.  The  worst  case  scheme  provides  the  highest  mean  error  entropy  and  is 
approximately  equal  to  the  mean  error  entropy  of  the  dual  structure  without  fault  detection 
(HE2wc  »  HE2,  Figure  5.16).  Similar  results  hold  for  the  system  or  joint  entropy. 

System  entropy  for  the  Bayes  criterion,  however,  is  lower  than  that  for  the  Neyman- 
Pearson  criterion. 
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Therefore,  a  dual  redundant  structure  with  an  errorless  duplex  test  allows  a  higher 
rate  of  information  and  a  lower  mean  error  entropy  over  a  single  control  structure  (with  or 
without  fault  detection)  for  short  missions  which  end  before  the  MTBF.  Bayes  detection  is 
preferred  over  Neyman-Pearson.  A  dual  structure  without  shutdown  can  achieve  the  same 
performance  with  or  without  worst  case  detection,  but  must  strive  for  perfect  case  detection 
to  improve  upon  the  performance  of  a  single  shnicture. 

A  dual  structure  with  two  levels  of  fault  detection  (i.e.  duplex  and  simplex  FDI)  is 
examined  for  three  cases:  the  perfect  case  of  errorless  detection  at  both  levels,  the  worst 
case  of  complete  misinformation  at  both  levels,  and  the  poor  or  noisy  case  which  results  in 
no  information.  Three  decisions  or  outcomes  are  possible  (both  working,  single  fault,  and 
dual  fault).  Again,  system  shutdown  is  not  considered  as  a  possible  system  state. 
Additionally,  one  level  must  be  given  precedence  over  the  other  in  order  to  resolve  conflicts 
between  the  two  levels  of  fault  detection.  The  above  results  for  a  dual  structure  with  only 
duplex  fault  detection  can  be  considered  comparable  with  the  case  of  full  FDI  where  duplex 
detection  is  given  precedence  and  simplex  detection  is  poor  or  noisy  such  that  it  provides 
no  additional  information.  Simplex  detection  upon  either  single  controller  within  the  dual 
structure  is  independent  from  duplex  detection  upon  the  pair  of  controllers  and  simplex 
detection  upon  the  other  control  structure.  The  conditional  probabilities  for  the  simplex 
detection  scheme  upon  either  single  controller  are  represented  as  Ps##  (e.g.  Psio  =  the 
probability  of  deciding  a  working  structure  is  failed).  However,  simplex  detection  applied 
to  the  second  control  structiu’e  is  dependent  upon  the  results  of  the  simplex  detection 
applied  to  the  first  control  structure  and  the  duplex  detection  applied  to  the  pair  of  control 
stractures.  The  conditional  probabilities  for  the  simplex  detection  scheme  applied  to  the 
second  controller  are  represented  as  Ps(##)(##)#  (e-g-  Ps(10)(10)0  =  Ae  probability  of 
deciding  the  second  working  controller  is  failed  when  the  first  working  controller  and  the 
dual  structvffe  are  considered  failed).  A  property  of  mutually  exclusive  and  exhaustive 
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events  is  that  the  sum  of  thdr  probabilities  must  equal  unity  (e.g.  Ps(l0)(10X)  +  Ps(00)(10)0  = 
Psio  +  Psoo  =  !)•  In  the  ideal  detection  schemes  to  be  examined  (perfect,  worst,  and 
poor),  independence  is  assumed  between  duplex  and  simplex  tests  and,  therefore, 
Ps(##)(##)#  =  Ps##-  The  failure  rate  of  the  example  reliability  budget  (0.(XX)142,  Figure 
3.7)  and  the  conditional  error  entropies  of  Figure  5.5  are  used  in  producing  the  following 
figures.  A  control  structure  with  a  decision  scheme  of  maximum  rate  and  minimum  error 
variance  is  optimal  with  respect  to  entropy  (Section  5.5.  and  5.5.1).  In  each  case,  the 
following  are  derived  and  compared: 

1)  Outcome  entropy  HY2F#*,  mean  conditional  entropy  3iC2F#*,  and  rate  of 
information  transmission  RT2F#*  =  KY2F#*  -  KC2F#*  for  the  FDI  channel  or 
decision. 

2)  System  state  entropy  HS2F#*,  mean  conditional  entropy  of  the  estimation  error 
H-E2F#*,  and  system  or  joint  entropy  H2F#*  =  KS2F#*  +  HE2F#*. 

Note:  *  represents  a  suffix  (e.g.  pc,  wc,  poor)  used  to  distinguish  the  results  for  different 
FDI  schemes.  Results  for  a  redundant  stracture  without  FDI  is  represented  without 
this  suffix. 

Note:  #  represents  the  level  of  fatilt  detection  given  precedence  for  conflict  resolution  (e.g. 
2  indicates  duplex  detection  has  precedence,  while  1  indicates  simplex  detection) 

Note:  The  suffix  F  represents  a  redundant  structure  with  full  FDI  at  all  levels. 


HY2F#*  =  -  pr{decide  both  working)  log  (pr{decide  both  working}) 
-  pr{decide  single  fault)  log  (pr{decide  single  fault)) 

-  pr{decide  dual  fault)  log  (pr{decide  dual  fault}) 


KY2F2*  =  -  (R2  Poo  +  2  R  Q  Poi  +  Q2  Pdf  Poo  +  (1  -  Pdf)  Pqi) 

*  log  (R2  Poo  +  2  R  Q  Poi  +  Q2  Pdf  Poo  +  (l  -  Pdf)  Poi) 

-  (R2  Pio  (1  -  PsioPsiOlOl)  +  2  R  Q  Pii  (1  -  PsioPsillOl) 

+  (Q^  Pdf  Pio  +  (l  -  Pdf)  Pii)  (l  -  Psii  Psiiiii)) 

*  log  (R2pio(l  -  PsioPsioioi)  +  2RQPii  (1  -PsioPsiiioi) 

+  (Q^  PdfPio  +  (1  -  Pdf)  Pii)  Q  -  Psii  Psiiiii)) 

-  (R2  Pio  Psio  PsiOlOl  +  2  R  Q  Pii  Psio  PsillOl 
+  (Q^  Pdf  Pio  +  (1  -  Pdf)  Pii)  Psii  Psiiiii) 

*  log  (R2  Pio  Psio  Psioioi  +  2  R  Q  Pn  Psio  Psiiioi 
+  (Q^PdfPio  +  (1  -  Pdf)  Pii)  Psii  Psiiiii) 


(Equation  5.65) 


HY2F1*  =  -  (R2P00PS00PS00000  +  2RQP01PS00PS01000 
+  (Q^  Pdf  Poo  +  (l  -  Pdf)  Poi)  Psoi  Psoioio) 

*  log  (r2  Poo  Psoo  Psooooo  +  2  r  q  Poi  Psoo  Psoiooo 
+  (Q^  Pdf  Poo  +  (i  -  Pdf)  Poi)  Psoi  Psoioio) 

-  (r2  (Pio  (Psoo  +  Psio  Psooioi)  +  Poo  (Psoo  Psioooo  +  Psio  Psooioo)) 

+  2  R  Q  (Pii  (Psoo  +  Psio  Psoi  loi)  +  Poi  (Psoo  Psiiooo  +  PsioPsoiioo)) 

+  (Q^  Pdf  Pio  +  (1  -  Pdf)  Pi i)  (Psoi  +  Psi i  Psoi 1 1 1)) 

+  (Q^  Pdf  Poo  +  (1  -  Pdf)  Poi)  (Psoi  Psiioio  +  Psii  Psoiiio)) 

*  log  (r2  (Pio  (Psoo  +  Psio  Psooioi)  +  Poo  (Psoo  Psioooo  +  Psio  Psooioo)) 

+  2  R  Q  (Pn  (Psoo  +  Psio  Psoiioi)  +  Poi  (Psoo  Psiiooo  +  Psio  Psoiioo)) 

+  (Q^  Pdf  Pio  +  (1  -  p^f)  Pii)  (Psoi  +  Psii  Psoiiii)) 

+  (Q^  Pdf  Poo  +  (1  -  Pdf)  Poi)  (Psoi  Psiioio  +  Psii  Psoiiio)) 

-  (r2  (Pio  Psio  Psioioi  +  PooPsioPsioioo)  +  2RQ(PiiPsioPsiiioi  +PoiPsioPsiiioo) 
(Q2  Pdf  Pio  +  (1  -  Pdf)  Pii)  Psii  Psiiiii  +  (Q^  Pdf  Poo  +  (1  -  Pdf)  Poi)  Psii  Psiiiio) 

log  (r2  (Pio  Psio  Psioioi  +  Poo  Psio  Psioioo)  +  2R  Q(Pii  PsioPsiiioi  +  Poi  Psio  Psiiioo) 
(Q2  Pdf  Pio  +  (1  -  Pdf)  Pn)  Psii  Psiiiii  +  (Q^  Pdf  Poo  +  CP  (l  -  Pdf)  Poi)  Psii  Psiiiio) 


(Equation  5.66) 


HC2F2*  =  -  R2  (Poo log  Poo  +  Pio  (1  -  PsioPsiOlOl)  log  (PlO  (1  -  PsioPsiOlOl)) 
+  PlO PsioPsiOlOl  log(PlO PsioPsiOlOl)) 

-  2  R  Q  (Poi  log  Poi  +  Pii  (1  -  PsioPsillOl)  log(Pii  (1  -  PsioPsillOl)) 

+  Pll  PsiO  PsillOl  log  (Pll  PsiO  PsillOl)) 

-  (Pdf  Poo  log  Pdf  Poo  +  (l  -  Pdf)  Poi  log  ((i  -  Pdf)  Poi) 

+  Pdf  Pio  (1  -  Psii  Psiiiii)  log(PDF  Pio  (l  -  Psii  Psiiiii)) 

+  (1  -  Pdf)  Pll  (1  -  Psii  Psiiiii)log((l  -  Pdf)  Pll  (1  -Psii  Psiiiii)) 

+  Pdf  Pio  Psii  Psiiiii  log  (Pdf  Pio  Psii  Psiiiii) 

+  (1  -  Pdf)  Pll  Psii  Psiiiii  log  ((1  -  Pdf)  Pii  Psii  Psiiiii)) 


(Equation  5.67) 


jtC2Fi*  =  -R2(PooPsooPsoooooiogPooPsooPsooooo 
+  (PlO  (Psoo  +  PsiO  Psooioi)  +  Poo  (Psoo  PsiOOOO  +  PsiO  PsOOlOO)) 

*  log  (PlO  (Psoo  +  PsiO  Psooioi)  +  Poo  (Psoo  PsiOOOO  +  PsiO  PsOOlOO)) 

+  (PlO  PsioPsiOlOl  +  Poo  PsiO  PsiO lOO)  log(PlO PsioPsiOlOl  +  Poo  PsiO  Psioioo)) 

-  2  R  Q  (Poi  Psoo  Psoiooo  log  Poi  Psoo  Psoiooo 
+  (Pll  (Psoo  +  PsiO  Psoiioi)  +  Poi  (Psoo  PsilOOO  +  PsiO  Psoiloo)) 

*  log  (Pll  (Psoo  +  PsiO Ps0110l)  + Poi  (Psoo  PsilOOO  +  PsiO  Psoiloo)) 

+  (Pll  PsiO  PsillOl  +  Poi  PsioPsillOO)log  (Pll  PsiO  PsillOl  +  Poi  PsioPsillOO)) 

-  ((Pdf  Poo  +  (1  -  Pdf)  Poi)  Psoi  Psoioio 

*  log((PDF  Poo  +  (1  -  Pdf)  Poi)  Psoi  Psoioio) 

+  ((Pdf  Pio  +  (l  -  Pdf)  Pii)  *  (Psoi  +  Psii  Psoi  in) 

+  (Pdf  Poo  +  (1  -  Pdf)  Poi)  *  (Psoi  Psiioio  +  Psii  Psoiiio)) 

*  log((PDF  PlO  +  (1  -  Pdf)  Pll)  *  (Psoi  +  Psii  Psoiiii) 

+  (Pdf  Poo  +  (1  -  Pdf)  Poi)  *  (Psoi  Psiioio  +  Psii  Psoi  no)) 

+  ((Pdf  Pio  +  (1  -  Pdf)  Pn)  *  Psn  Psinii 
+  (Pdf  Poo  +  (1  -  Pdf)  Poi)  *  Psn  Psnno) 

*  log((PDF  PlO  +  (1  -  ^f)  Pll)  *  Psn  Psiiiii 
+  (Pdf  Poo  +  (1  -  Pdf)  Poi)  *  Psn  Psnno)) 


(Equation  5.68) 


HS2F2*  =  -  Psi  log  Psi  -  Ps2  log  Ps2  -  Ps3  log  Ps3  -  Ps4  log  Ps4  "  PS5  log  Ps5 

and 

jiE2F2*  =  Psi  3i(e  ISl)  +  Ps2  ^(6 IS2)  +  Ps3  H(e  IS3)  +  Ps4  IS4)  +  Pss  H(e  IS5) 

HE2F2*  =  Psi  *  0.2  +  Ps2  *  4.85  +  Ps3  *  5.37  +  Ps4  *  0.55  +  Pss  *  5.54 

where 


Psi  =  r2  Poo ;  Ps2  =  2  R  Q  Poi ;  Ps3  =  Pdf  Poo  +  (1  -  Pdf)  Poi ; 

Ps4  =  R2  Pio  + 2  R  Q  Pii  (PsooPsiiooi  +  PsooPsoiooi /2 +  PsioPsill01 /2) ; 
Ps5  =  (Q^-Ps3)  +  2RQPii(PsioPsoiioi  +  PsooPsoiooi/2  +  PsioPsiiioi/2) 

(Equations  5.69  -  5.75) 


HS2F1*  =  -  Psi  log  Psi  -  PS2  log  PS2  -  PS3  log  Ps3  -  PS4  log  PS4  -  PS5  log  PS5 

and 

HE2F1*  =  Psi  H(e  IS  1)  +  Ps2  H(e  IS2)  +  Ps3  K(e  IS3)  +  Ps4  «(e  1S4)  +  Pss  rt(e  IS5) 

HE2F1*  =  Psi  *  0.2  +  Ps2  *  4.85  +  Ps3  *  5.37  +  Ps4  *  0.55  +  Pss  *  5.54 

where 

Psi  =  r2  Poo  Psoo  Psooooo ;  Ps2  =  2  R  Q  Poi  Psoo  Psoiooo ; 

Ps3  =  (Pdf  Poo  +  (1  -  Pdf)  Poi)  Psoi  Psoioio ; 

Ps4  =  (R^  -  Psi)  +  2  R  Q  Pii  (Psoo  PsilOOl  +  Psoo  Psoiooi  /  2  +  Psio  PsillOl  /  2) 
+  2RQP01  (Psoo Psi  1000+  PsioPsiiioo /2) ; 

Ps5  =  (Q^  -  Ps3)  +  2  R  Q  Pii  (PsiO  Psoiioi  +  PsOOPsOlOOl  /  2  +  PsioPsillOl  /  2) 
+  2RQP01  (PsioPsoiioo  +  PsioPsillOO/2) ; 


(Equations  5.76  -  5.82) 


Perfect  Fault  Detection  at  All  Levels 


}tY2F2pc  =  rtYlFlpc  =  -R2logR2  -  2RQlog2RQ  -  Q2logQ2  =  rtS2 
HC2F2pc  =  JtC2Flpc  =  0 ;  RT2F*pc  =  HS2  >  RT2pc 

JtS2F2pc  =  HS2Flpc  =  -  R2logR2  -  2RQlog2RQ  -  Q2logQ2  =  HS2 
KE2F2pc  =  «E2Flpc  =  R2*0.2  +  2RQ*0.55  +  Q2*5.54  ^  HE2pc 

(Equations  5.83  -  5.87) 


Worst  Fault  Detection  at  All  Levels 

}iY2F2wc  =  (2  R  Q  +  Q2)  log  (2  R  Q  +  Q2)  -  r2  log  r2  =  KY2wc 
HC2F2WC  =  0 ;  RT2F2wc  =  RT2wc 
3iY2Flwc  =  -R2logR2  -  2RQlog2RQ  -  Q2logQ2  =  KS2 
rtC2Flwc  =  0;  RT2F1WC  =  JtS2  =  RT2F*pc 

rtS2F2wc  =  KS2F1WC  =  -R2logR2  -  2RQlog2RQ  -  Q2logQ2  =  HS2 
KE2F2WC  =  R2  *  0.55  +  2  R  Q  *  4.85  +  Q2  *  5.37  =  HE2wc 
rtE2Flwc  =  R2*0.55  +  2RQ*5.54  +  Q2*5.37  ^  rtE2F2wc 

(Equations  5.88  -  5.96) 


Poor  Fault  Detection  at  All  Levels 


HY2F2poor  =  JtC2F2poor  =  -  0.5  *log  (0.5)  -  0.375  *log(0.375)  -  0.125  *  log(0. 125) 
}€Y2Flpoor  =  HC2Flpoor  =  -  0.125  *log  (0.125)  -  0.625  *log(0.625)  -  0.25  *  log(0.25) 
«:C2F2poor  =  0.974  >  H:C2Flpoor  =  0.900 ;  RT2F*poor  =  0 

«E2F2poor  =  R2*0.1  +  RQ*4.85  +  Q2*  2.685 

+  (R2  +  RQ)*  0.275  +  (Q2  +  RQ)*2.77  =  3iE2poor  >  «E1 

JlE2Flpoor  =  R2*  0.025  +  RQ*  1.213  +  Q2*  0.671 

+  (R2  +  R  Q)  *  0.481  +  (Q2  +  R  Q)  *  4.85  »  KE2poor 

(Equations  5.97  -  5.102) 


Perfect  Duplex  and  Poor  Simplex  Fault  Detection 


rtY2F2pc,poor  =  -  R2  log  R2  -  (2  R  Q  +  Q2)  *  (0.75)  log  ((2  R  Q  +  Q2)  *  (0.75)) 
-  (2  R  Q  +  Q2)  *  (0.25)  log  ((2  R  Q  +  Q2)  *  (0.25)) 

HC2F2pc,poor  =  -  (2  R  Q  +  Q2)  ♦  (0.75  ♦log  (0.75)  +  0.25  *log(0.25)) 

JiY2Flpc,poor  =  -  R2  *  0.5  *  (log  (R2  *  0.5)  +  log(R2  *  0.25)) 

-  (2  R  Q  +  Q2)  *  (0.75)  log  ((2  R  Q  +  Q2)  *  (0.75)) 

-  (2  R  Q  +  Q2)  *  (0.25)  log  ((2  R  Q  +  Q2)  *  (0.25)) 

HC2Flpc,poor  =  -  R2  *  0.5  *  (log  (0.5)  +  log(0.25)) 

-  (2  R  Q  +  Q2)  *  (0.75  *log  (0.75)  +  0.25  ♦log(0.25)) 


HC2F2pc,poor  >  HC2Flpc,poor  ;  RT2F*pc,poor  =  RT2pc  =  HY2pc 


HE2F2pc,poor  =  R2*0.2  +  RQ*0.55  +  (Q2  +  RQ)*5,54  =  HE2pc 
HE2Flpc,poor  =  R2  *  0.05  +  (R2  ♦  0.75  +  R  Q)  *  0.55  +  (Q2  +  RQ)*5.54  «  JtEl  »  HE2pc 


(Equations  5.103  -  5.110) 


Poor  Duplex  and  Perfect  Simplex  Fault  Detection 


rtY2F2poor,pc  =  -  0.5  log  0.5  -  (2  R  Q  +  R2)  *  (0.5)  *  log  ((2  R  Q  +  R2)  *  (0.5)) 

-  Q2  *  (0.5)  *  log  (Q2  *  0.5) 

HC2F2poor,pc  =  -  log  0.5  =  log  2 

RT2F2poor,pc  =  -  (1  -  Q2)  *  (0.5)  *  log  (1  -  Q2)  -  Q2  *  (0.5)  ♦  log  Q2  ^  0.5  *  log  2 

KY2Flpoor,pc  =  -  R2  *  0.5  *  log  (R2  *  0.5) 

-  (2RQ  +  R2*0.5)*log(2RQ  +  R2*0.5)  -  Q2logQ2 

HC2Flpoor,pc  =  -  R2  log  0.5  ^  HC2F2poor,pc 

RT2Flpoor,pc  =  -  R2  *  0.5  *  log  R2  -  (2  R  Q  +  R2  *  0.5)  *  log  (2  R  Q  +  r2  *  0.5)  -  Q2  log  Q2 


HE2F2poor,pc  =  R2*0.1  +  RQ*4.85  +  Q2*  2.685 
+  (R2  +  2R(^*  0.275  +  Q2*2.77 

HE2Flpoor,pc  =  R2  *  0.1  +  (R2  *  0.5  +  2  R  Q)  *  0.55  +  Q2  *  5.54  »  JCE2F*pc 

(Equations  5.111  -  5.118) 


Duplex  FDI  alone  provides  the  same  results  for  a  dual  structure  as  full  FDI  which 
incorporates  a  poor  simplex  test  (i.e.  RT2*  =  RT2F2*  and  HE2*  =  HE2F2*).  These 
results  are  improved  upon  by  any  full  FDI  scheme  with  a  better  simplex  test.  Hence,  a  dual 
structure  with  full  FDI  allows  equivalent  or  better  performance  than  with  duplex  FDI  alone. 

In  all  cases  of  importance,  full  FDI  with  simplex  precedence  (RT2F1*,  HE2F1*) 
for  conflict  resolution  provides  better  performance  than  the  case  of  duplex  precedence 
(RT2F2*,  HE2F2*).  As  observed  in  Figure  5.18,  duplex  precedence  can  be  costly  in 
terms  of  infoimation  transfer  (e.g.RT2F2poor,pc  <  RT2Flpoor,pc).  Even  in  cases  of 
equivalent  information  rates  (e.g.  Equations  5.99,  5.107,  and  5.115),  duplex  precedence 
exhibits  a  larger  loss  of  information  due  to  decision  error  (rtC2F2*  >  HC2F1  *).  In  Figure 
5.19,  It  IS  observed  that  duplex  precedence  allows  a  greater  error  variance  than  simplex 
precedence  (HE2F2*  >  rtE2Fl*).  Hence,  simplex  precedence  must  be  utilized  by  a  dual 
Structure  with  full  FDI  and  without  shutdown  capability. 

The  perfect  case  of  errorless  detection  for  a  dual  structure  with  full  FDI  exhibits  a 
dramatic  improvement  over  single  structure  performance  in  terms  of  reduced  error  variance 
due  to  the  second-order  effect  of  its  fault  tolerance.  Single  structure  performance  is  defined 
by  HEl  irregardless  of  any  simplex  tests.  Error  variance  for  a  perfect  dual  structure  is 
initially  lower  due  to  the  averaging  of  two  working  controllers  and  is  only  gradually 
increased  upon  switching  to  the  second  stage  of  a  single  working  controller  (Figure  5.19). 
Perfect  and  worst  case  fault  detection  for  a  dual  structure  with  full  FDI  ar^  found  to  provide 
the  highest  rate  of  information  transmission,  while  poor  or  noisy  fault  detection  has  a  zero 
transmission  rate  (Figure  5.18).  The  general  improvement  of  a  dual  structure  over  the 
performance  of  a  single  structure  is  dictated  by  the  quality  of  the  simplex  test  (Figure  5.20). 
This  IS  because  the  cost  of  missed  detection  can  be  offset  by  giving  precedence  to  the 
simplex  test  and  the  cost  of  a  false  alarm  is  small  for  a  structure  without  shutdown 
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capability.  Hence,  a  dual  structure  without  shutdown  capability  can  achieve  slightly  better 
performance  than  a  single  structure  with  a  poor  simplex  test  and  significantly  better 
performance  with  a  fair  or  better  simplex  test. 


Full  Dual  Structure 


Duplex  Test 
any 
any 

poor  or  better 
poor  or  better 


Simplex  Test 
worst 
poor 
fair 
perfect 


Performance  Comparison 
HEl  ^  3iE2F#*poor  <  }iE2F#*wc 
HEl  <  HE2F#*poor 
}tE2F#*fair  <  HEl 
HE2F#*pc  <  HE2F#*fair  <  HEl 


Figure  5.20  Comparison  of  Full  Dual  Structure  and  Single  Structure 


The  relative  merit  of  a  fault  detection  scheme  for  a  dual  control  structure  is  now 
examined  where  system  shutdown  is  a  possible  system  state.  Here,  the  system  state  of 
false  alarm  is  given  the  same  weight  as  missed  detection  in  the  tabulation  of  entropy  for  the 
error  function  (as  in  Figure  5.11).  System  shutdown  is  initiated  immediately  upon 
detection  of  a  fault  which  cannot  be  isolated.  Here,  the  benefit  of  a  fault  detection  scheme 
is  to  avoid  faulty  performance  or  product  by  simply  ending  the  mission. 
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HE2F2*  =  Psi  K(e  ISl)  +  Ps2 «(e  IS2)  +  Pss  «(e  IS3)  +  Ps4  «(e  IS4)  +  Pss  Jt(e  IS5) 
+  Pps  IFalse  Shutdown)  +  Psd  H(e  IShutdown) 

H;E2F2*  =  Psi  *  0.2  +  Ps2  *  4.85  +  Ps3  *  5.37  +  Ps4  *  0.55  +  (Ps5  +  Pps)  *  5.54 

where 

Psi  =  Poo  ;  Ps2  =  2  R  Q  Poi ;  Ps3  =  Pdf  Poo  +  (1  -  Pdf)  Poi  ; 

Ps4  =  R^  Pio  (1  -  Psio  Psioioi)  +  2  R  Q  Pii  (Psoo  Psiiooi  +  Psoo  Psoiool  /  2) ; 
Pfs  =  R^PioPsioPs  10101  +  2RQPiiPsioPsiiioi  ; 

Ps5  =  2RQPii  (PsioPsOllOl +  PS00PS01001 /2) 

+  (Pdf  Pio  +  (1  -  Pdf)  Pii)  (Psoi  +  Psii  Psoiiii) ; 

Psd  =  (Pdf  Pio  +  (l  -  Pdf)  Pii)  Psii  Psiiiii 
(Equations  5.119  -  5.126) 


HE2F1*  =  Psi  H(e  IS  1)  +  PS2  Hie  IS2)  +  Ps3  H(e  IS3)  +  Ps4  H(e  IS4)  +  Pss  H(e  IS5) 

+  Pfs  ^(£  IFalse  Shutdown)  +  Psd  Jt(e  IShutdown) 

H:E2F1*  =  Psi  *  0.2  +  Ps2  *  4.85  +  Ps3  *  5.37  +  Ps4  *  0.55  +  (Pss  +  Pfs)  *  5.54 

where 

Psi  =  R2  Poo  Psoo  Psooooo  ;  Ps2  =  2  R  Q  Poi  Psoo  Psoiooo  ; 

Ps3  =  (Pdf  Poo  +  (1  -  Pdf)  Poi)  Psoi  Psoioio ; 

Ps4  =  R^  (Pio  (Psoo  +  PsiO  Psooioi)  +  Poo  (Psoo  PsiOOOO  +  PsiO  Psooioo)) 

+  2  R  Q  Pii  (Psoo  PsilOOl  +  Psoo  Psoiool  /  2)  +  2  R  Q  Poi  PsoO  Psi  1000  ; 

Pps  =  R^  (Poo  Psio  PsiOlOO  +  Pio  Psio  PsiOlOl) 

+  2  R  Q  (Poi  Psio  Psi  1100  +  Pi  1  Psio  Psi  iioi) ; 

Ps5  =  (Q^  -  Ps3  -  Psd)  +  2  r  q  Pn  (Psio  Psoiioi  +  Psoo  Psoiooi  /  2)  +  2  R  Q  Poi  Psio  Psoiioo ; 
Psd  =  (Pdf Pio  +  (1  -  Pdf)  Pii)  Psii  Psiiiii  +  (Pdf  Poo  +  (1  -  Pdf)  Poi)  Psii  Psiiiio 


(Equations  5.127  -  5.134) 


Perfect  Detection:  rtE2F*pc  =  R2  *  0.2  +  2  R  Q  *  0.55  (Equations  5.135) 


Worst  Fault  Detection  at  All  Levels 
H:E2F2wc  =  R2*5.54  +  2RQ*4.85  +  (^*537  <  JlElwc 

KE2F1WC  =  (R2  +  2  R  Q)  *  5.54  +  Q2  *  5.37  ^  HElwc 
(Equations  5.136,  5.137) 

Poor  Fault  Detection  at  All  Levels 

HE2F2poor  =  R2  *  0.1  +  R  Q  *  4.85  +  Q2  *  2.685 

+  (R2  +  R  Q)  *  0.206  +  (R2  +  5  R  Q  +  3  Q2)  *  0.693  ^  KElpoor 

HE2Flpoor  =  R2  *  0.025  +  R  Q  *  1.213  +  Q2  *  0.671 

+  (R2  +  R  Q)  *  0.344  +  (2  r2  +  9  R  Q  +  5  Q2)  *  0.693  »  3iE2F2poor 

(Equations  5.138,  5.139) 

Perfect  Duplex  and  Poor  Simplex  Fault  Detection 
HE2F2pc,poor  =  r2  ♦  0.2  +  R  Q  *  0.413  +  (5  R  Q  +  3  Q2)  ♦  1.39 

}iE2Flpc,poor  =  R2  *  0.05  +  (2  R2  +  3  R  Q)  *  0.138  +  (R2  +  5  R  Q  +  3  Q2)  *  1.39 

(Equations  5.140,  5.141) 

Poor  Duplex  and  Perfect  Simplex  Fault  Detection 
HE2F2poor,pc  =  R2*0.1  +  RQ*4.85  +  Q2  *  2.685  +  (R2  +  2 R  Q)  *  0.275 
rtE2Flpoor,pc  =  r2  *  0.1  +  (R2  *  0.5  +  2  R  Q)  *  0.55  «  fCE2F*pc 

(Equations  5.142,  5.143) 
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Figure  5.21  Error  Entropy  for  Dual  Structure  with  Shutdown 

and  False  Alarm  Cost 
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Figures  5.22  Mission  Stages  for  Different  FDI  Schemes 


Figures  5.23  Improvement  by  Ignoring  Poor  Simplex  Tests 
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Results  indicate  the  need  to  switch  the  FDI  decision  scheme  for  different  stages  of 
the  mission  in  all  but  the  most  perfect  case.  A  dual  structure  with  full  FDI  can  achieve 
better  average  performance  with  duplex  precedence  (assume  both  working  unless 
difference  test  fails)  in  early  stages  of  the  mission  where  =  pr{Both  Working} 
dominates  and  with  simplex  precedence  (assume  dual  or  single  fault  unless  all  tests  pass)  in 
the  later  stages  of  the  mission  where  =  pr{Both  Failed}  dominates.  A  third  decision 
scheme  with  no  precedence  (assume  single  fault  unless  all  tests  agree  otherwise)  suggests  a 
middle  stage  for  the  full  FDI  scheme  when  2RQ  =  pr{ Single  Fault}  dominates.  It  is 
concluded  that  precedence  for  the  full  FDI  scheme  should  agree  with  the  most  probable 
state  for  the  given  mission  time  (i.e.  assume  the  dominant  prior  when  designing  the 
decision  scheme).  Figure  5.22  illustrates  this  concept  of  a  staged  FDI  scheme  for  the  case 
of  poor  fault  detection  at  all  levels.  A  fourth  decision  scheme,  where  no  FDI  is  employed 
and  shutdown  is  always  decided,  is  suggested  by  Figure  5.22  as  a  better  alternative  for  the 
third  stage  of  a  poor  detection  scheme  due  to  its  lower  error  entropy  (JtE2SD). 

If  either  level  of  tests  (duplex  or  simplex)  should  dominate  the  other  in  quality,  then 
the  switching  times  for  the  mission  stages  must  be  adjusted  accordingly.  For  example,  as 
the  quality  of  the  duplex  test  approaches  the  perfect  case,  switching  times  will  be  pushed 
further  and  further  out  until  finally  duplex  precedence  (i.e.  HE2F2pc,poor)  will  be  utilized 
throughout  the  mission.  The  same  holds  for  the  simplex  test  (i.e.  HE2Flpoor,pc  has  a 
lower  error  variance  than  fCE2F2poor,pc  over  the  entire  mission). 


The  perfect  case  of  errorless  detection  for  a  dual  structure  with  full  FDI  exhibits  a 
dramatic  improvement  over  single  structure  performance  in  terms  of  a  longer  average 
mission  before  shutdown.  Also,  error  variance  for  any  dual  stmcture  is  initially  lower  than 
for  a  single  structure  due  to  the  averaging  of  two  working  controllers.  The  general 
improvement  of  a  dual  stmcture  over  the  performance  of  a  single  stmcture  is  dictated  by  the 
quality  of  both  tests.  For  example,  a  dual  stmcture  with  poor  FDI  at  both  levels  reaches  an 
error  variance  much  higher  than  that  for  a  single  stmcture  (Figure  5.22).  This  difference 
can  be  offset  by  deciding  shutdown  for  the  third  stage  of  the  decision  scheme  (3iE2SD). 
The  increased  error  v^ance  during  the  second  stage  cannot  be  further  reduced  due  to  the 
inability  to  isolate  the  first  failure  by  the  poor  simplex  test.  However,  a  dual  stmcture  with 
a  poor  simplex  test  and  a  perfect  duplex  test  can  achieve  lower  error  entropy  than  a  single 
stmcture  with  the  same  poor  simplex  test  over  the  entire  mission  (Figure  5.23, 
HE2F2pc,poor  &  HE2NS  <  HEl  &  KElpoor).  This  is  made  possible  by  a  second  and 
final  decision  stage  where  only  the  perfect  duplex  test  is  utilized  and  shutdown  is  initiated 
upon  a  failed  difference  test  (rtE2NS).  Good  results  can  also  be  obtained  with  a  perfect 
simplex  test  and  a  poor  duplex  test  (i.e.  HE2Flpoor,pc  <  HElpc).  Hence,  full  FDI  for  a 
dual  stmcture  with  shutdown  capability  must  incorporate  a  near-perfect  test  at  one  or  both 
levels  in  order  to  improve  upon  single  stmcture  performance. 
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5.6.4.  Entropy  Analysis  of  Triple  Redundant  Structures 


In  this  section,  the  relative  merit  of  a  fault  detection  scheme  for  a  triple  redundant 
control  structure  is  examined.  Results  follow  those  of  the  previous  section.  In  the 
exercises  of  this  thesis,  it  has  been  assumed  that  system  shutdown  is  not  a  possible  system 
state.  Hence,  no  matter  what  decision  branch  is  followed  by  a  fault  detection  scheme,  at 
least  one  control  structure  will  be  utilized  in  tiie  estimates  of  the  controlled  parameter  for  the 
length  of  the  mission.  The  benefit  of  a  fault  detection  scheme  in  this  situation  is  to  alert  the 
operator  and  to  isolate  any  possible  failure  so  that  continuous  operation  can  be  maintained 
with  the  working  controller.  Two  fault  detection  schemes  of  differing  performance  are 
examined  with  respect  to  entropy  and  information  transmission:  the  Triple  Redundant 
Structure  (TRS)  detailed  in  Chapter  4  with  perfect  triplex  detection  and  poor  simplex 
detection,  and  the  perfect  case  of  errorless  detection  at  all  levels.  The  failure  rate  of  the 
example  reliability  budget  (0.000142,  Figure  3.7)  and  the  conditional  error  entropies  of 
Figure  5.5  are  used  in  producing  the  following  figures.  In  each  case,  the  following  are 
derived  and  compared: 

1)  Outcome  entropy  HY3*,  mean  conditional  entropy  KC3*,  and  rate  of  information 
transmission  RT3*  =  3iY3*  -  HC3*  for  the  FDI  channel  or  decision. 

2)  System  state  entropy  KS3*,  mean  conditional  entropy  of  the  estimation  error 
HE3*,  and  system  or  joint  entropy  H3*  =  fiS3*  +  KE3*. 

A  control  structure  with  a  decision  scheme  of  maximum  rate  and  minimum  error  variance  is 
optimal  with  respect  to  entropy  (Section  5.5.  and  5.5.1).  The  estimation  error  entropy  for 
these  full  FDI  schemes  will  be  compared  with  those  of  two  techniques  for  passive 
redundancy:  majority  voting  and  fault  masking. 


Note:  *  represents  a  suffix  (e.g.  pc,  wc,  poor)  used  to  distinguish  the  results  for  different 
FDI  schemes.  Results  for  a  redundant  structure  with  a  passive  technique  will  be 
distinguished  here  (e.g.  V  for  majority  voting  and  M  for  fault  masking). 

Perfect  Fault  Detection  at  All  Levels 


RT3pc  =  -R3logR3  -  3QR2log3QR2  -  3RQ2log3RQ2  -  Q^logQ^  =  HS3 

HE3pc  =  3  Q  R2  *  0.2  +  3  R  Q2  *  0.55  +  Q3  *  5.54  <  «E2F*pc  <  KEl 

(Equations  5.144,  5.145) 


TRS  (Perfect  Triplex  and  Duplex  and  Poor  Simplex!  Fault  Detection 

HY3pc,poor  =  -  R3  log  R3  -  3  Q  R2  log  3  Q  R2 

-  (3  R  Q2  +  Q3)  *  (0.75)  log  ((3  R  Q2  +  Q3)  ♦  (0.75)) 

-  (3  R  Q2  +  Q3)  ♦  (0.25)  log  ((3  R  Q2  +  Q3)  *  (0.25)) 

HC3pc,poor  =  -  (3  R  Q2  +  Q3)  ♦  (0.75  *log  (0.75)  +  0.25  *log(0.25)) 
RT3pc,poor  =  -  r3  log  R3  -  3  Q  R2  log  3  Q  R2  -  (3  R  Q2  +  Q3)  log  (3  R  Q2  +  Q3) 

«E3pc,poor  =  3  Q  R2  *  0.2  +  R  Q2  *  0.55  +  (2  R  Q2  +  Q3)  *  5.54 

(Equations  5. 146  -  5. 149) 


Passive  Redundancy  Techniques:  Fault  Masking  and  Maioritv-Voting 

HE3M  =  (R3  +  3  Q  R2  +  R  Q2)  *  0.55  +  (2  R  Q2  +  Q3)  *  5.54  >  Ji:E3pc,poor 

KE3V  =  3  Q  R2  *  4.45  +  3  R  Q2  *  4.97  +  Q3  *  5.17 
(Equations  5. 1 50,  5. 1 5 1 ) 
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Figures  5.24,  5.25 
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Perfect  and  worst  case  fault  detection  for  a  triple  structure  with  full  EDI  are  found  to 
provide  the  highest  rate  of  information  transmission,  while  poor  or  noisy  fault  detection  has 
a  zero  transmission  rate  (Figure  5.24).  The  perfect  case  of  errorless  detection  for  a  triple 
structure  with  full  EDI  exhibits  a  dramatic  improvement  over  single  and  dual  structure 
performance  in  terms  of  reduced  error  variance  due  to  the  third-order  effect  of  its  fault 
tolerance.  Single  structure  performance  is  defined  by  HEl  irregardless  of  any  simplex 
tests.  Error  variance  for  any  redundant  structure  is  initially  lower  due  to  the  averaging  of 
working  controllers  and  is  only  gradually  increased  upon  switching  to  successive  stages  of 
reduced  operation  (Figure  5.25).  The  relative  improvement  of  the  dual  structure  over  the 
single  structure  is  dependent  upon  the  quality  of  the  simplex  test.  However,  a  triple 
redundant  structure  of  near-perfect  triplex  and  duplex  detection  and  poor  simplex  detection 
shows  immediate  improvement  over  single  structure  performance.  It  also  found  to  provide 
lower  error  entropy  than  both  of  the  examined  passive  redundancy  techniques,  although  it 
does  approach  the  performance  of  a  fault  masking  scheme  as  the  mission  progresses.  Fault 
masking  shows  similar  promise  while  majority-voting  is  easily  observed  as  undesirable. 
Hence,  a  triple  structure  without  shutdown  capability  can  achieve  significantly  better 
performance  than  a  single  or  dual  stmcture. 


The  relative  merit  of  a  fault  detection  scheme  for  a  triple  control  structure  is  now 
examined  where  system  shutdown  is  a  possible  system  state.  Here,  the  system  state  of 
false  alarm  is  given  the  same  weight  as  missed  detection  in  the  tabulation  of  entropy  for  the 
error  function  (as  in  Figure  5.1 1).  Here,  the  benefit  of  a  fault  detection  scheme  is  to  avoid 
faulty  performance  or  product  by  simply  ending  the  mission. 
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Perfect  Fault  Detection  at  All  Levels 

HE3pc  =  3QR2*0.2  +  3RQ2*0.55  <  rtE2F*pc  <  HEl  (Equation  5.152) 

TRS  (Perfect  Triplex  and  Duplex  and  Poor  Simplex)  Fault  Detection 

JiE3pc,poor  =  3  Q  R2  *  0.2  +  R  Q2  ♦  0.413  +  (9  R  Q2  +  3  Q3)  *  1.39 

(Equation  5.153) 

Perfect  Triplex  and  Duplex  and  No  Simplex  Fault  Detection 
HE3NS  =  3QR2*0.2  +  3RQ2*5.54  (Equation  5.154) 


Time  (Days) 


Figure  5.26  Error  Entropy  for  Triple  Structure  with  Shutdown 

and  False  Alarm  Cost 


The  perfect  case  of  errorless  detection  for  a  triple  structure  with  full  FDI  exhibits  a 
dramatic  improvement  over  single  structure  performance  in  terms  of  a  longer  average 
mission  before  shutdown  (i.e.  the  mission  time  where  }tE3pc  =  0).  Also,  error  variance 
for  any  redundant  stmcture  is  initially  lower  than  for  a  single  structure  due  to  the  averaging 
of  working  controllers.  The  general  performance  of  a  triple  structure  with  shutdown  is 
dependent  upon  the  quality  of  the  tests  and  proper  design  of  the  decision  scheme 
(Figure  5.26).  For  example,  a  triple  structure  with  a  poor  simplex  test  (e.g.  the  TRS) 
reaches  an  error  variance  much  higher  than  that  for  a  single  structure.  A  second  and  final 
decision  stage,  where  the  poor  simplex  test  is  not  utilized  and  shutdown  is  initiated  upon  a 
failed  difference  test,  can  achieve  lower  error  entropy  than  either  a  single  or  dual  structure 
over  the  entire  mission  (}tE3pc,poor  &  HE3NS  <  JtE2F2pc,poor  &  }€E2NS  <  HEl  & 
rtElpoor).  Good  results  can  also  be  obtained  with  a  perfect  simplex  test  and  a  poor  duplex 
test.  Hence,  full  FDI  for  a  triple  structure  with  shutdown  capability  must  incorporate  a 
near-perfect  test  in  order  to  improve  upon  single  structure  performance.  The  passive 
redundancy  techniques  of  fault  masking  and  majority- voting  are  obviously  not  meant  for  a 
system  with  shutdown  capability. 


5.7.  Conclusion 


In  this  chapter,  we  seek  to  analyze  all  relevant  a  priori  uncertainty  or  entropy  within 
the  control  system.  The  minimized  Gaussian  error  function  and  the  maximized  exponential 
reliability  function  provide  a  complete  concept  of  all  a  priori  knowledge  of  the  control 
structure.  The  marginal  or  conditional  probabilities  of  the  FDI  schemes  describe  the 
performance  statistics  associated  with  the  redundant  structure.  The  resultant  set  of  system 
states  and  their  associated  probabilities,  as  illustrated  by  the  decision  tree,  represents  all  a 
priori  uncertainty  in  the  control  system. 

Information  theory  defines  entropy  as  a  logarithmic  measure  of  the  randomness  or 
'choice'  involved  in  an  event  or  the  prior  uncertainty  of  the  outcome  of  an  experiment. 
Entropy  can  be  formulated  from  the  probabilities  of  an  exhaustive  set  of  n  possible  events 
or  states  (discrete  case)  or  from  the  probability  density  function  of  a  continuous  distribution 
(continuous  case).  The  concept  of  entropy  has  a  rich  history  that  defies  disciplinary 
boundaries  in  its  application.  Its  widespread  application  attests  to  its  fundamental  nature 
and  allows  for  linkage  into  a  more  comprehensive  system  representation  of  uncertainty  by 
incorporation  of  other  system  entropies.  Thus,  entropy  is  a  measure  of  our  a  priori 
knowledge  or,  more  appropriately,  lack  of  knowledge  (i.e.  ignorance/uncertainty)  in  terms 
of  the  a  priori  probabilities.  Further,  this  metric  of  uncertainty  allows  for  comparisons  of 
the  effective  system  performance  for  different  redundant  stractures. 

Shannon  evaluated  the  performance  of  a  general  communication  system  in  the 
presence  of  noise.  In  this  context,  a  control  structure  can  be  considered  the  channel  which 
attempts  to  communicate  control  needs  to  the  process  while  contending  with  error  or  noise 
sources  inherent  within  the  signal  transmission.  Due  to  these  errors,  it  is  not  possible  to 
completely  reconstruct  the  transmitted  signal  by  any  operation  upon  the  received  signal  and 
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information  is  lost.  A  system  designer  always  tries  to  optimize  the  rate  of  transmission  by 
maximizing  source  information  and  by  minimizing  information  losses  due  to  interference. 
A  large  bandwidth  and  signal-to-noise  ratio  (SNR)  is  desired  for  the  source  and  a 
minimized  variance  is  desired  for  the  Gaussian  noise  or  error  in  order  to  maximize  the 
information  rate  of  the  control  stracture. 

Shannon  found  methods  of  transmitting  or  encoding  the  source  signal  which  are 
optimal  in  combating  noise.  By  Shannon's  Fundamental  Theorem,  if  the  entropy  or 
information  of  a  source  is  less  than  the  system's  capacity,  then  there  exists  an  encoding 
scheme  for  transmission  across  the  channel  which  achieves  an  arbitrarily  small  probability 
of  error.  This  is  possible  by  sending  the  information  in  a  redundant  form  and  performing  a 
statistical  analysis  on  the  different  received  versions  of  the  message.  This  reduction  in 
decision  error  causes  a  subsequent  reduction  in  the  lost  information  due  to  noise  and, 
hence,  an  increase  in  the  rate  of  transmission  for  the  channel.  However,  these  benefits  are 
at  a  cost  of  increased  complexity  and  either:  hardware  for  physical  redundancy,  or  delay  for 
repeated  messages  over  the  same  channel.  The  cost  of  errorless  transmission  is  infinite 
communication  channels  or  infinite  delay  time.  Hence,  it  is  not  possible  to  transmit 
information  over  a  noisy  channel  without  some  probability  of  error. 

A  redundant  structure  can  be  considered  the  channel  which  attempts  to  correctly 
determine  or  communicate  the  current  state  of  the  system  while  contending  with  error  or 
noise  sources  inherent  within  the  decision.  The  system  states  and  error  sources  possible 
for  a  redundant  structure  can  be  identified  by  a  decision  tree.  This  decision  tree  also 
represents  explicitly  the  discrete  communication  or  information  channel  for  a  redundant 
structure.  Due  to  decision  errors  in  the  FDI  scheme,  it  is  not  possible  to  completely  know 
the  current  system  state  by  any  operation  upon  the  parity  vector  and  information  can  be 
lost. 
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The  rate  of  information  transmission  across  the  discrete  channel  of  the  FDI  decision 
scheme  is  optimized  by  maximizing  the  mutual  information  between  the  input  and  output 
states.  First,  the  extent  of  our  a  priori  or  input  knowledge  f€(X)  is  maximized.  The 
entropy  of  the  exponential  reliability  distribution  is  defined  by  the  MTBF.  Hence,  a  more 
reliable  control  structure  with  a  greater  MTBF  is  desired.  Second,  system  or  output 
knowledge  Ji(Y)  is  maximized  by  increasing  the  granularity  or  number  of  the  output 
system  states.  Entropy  of  the  system  state  set  exhibits  a  characteristic  "humped"  curve 
which  monotonically  increases  with  the  level  of  redundancy.  However,  the  gains  of  this 
additional  knowledge  cannot  be  realized  (and  can  even  be  at  a  detriment)  if  it  is 
accompanied  by  poor  utilization  or  transmission  losses.  The  channel  loss  or  uncertainty  of 
the  FDI  scheme  must  be  minimized  by  approaching  the  ideal,  matched  transmission 
scheme.  Proper  utilization  of  a  redundant  structure  would  also  minimize  the  error  variance 
of  the  controlled  parameter.  This  corresponds  with  the  perfect-case  of  errorless  decision. 
A  large  failure  signal-to-noise  ratio  (SNR)  is  required  in  order  to  approach  the  perfect-case. 
The  mean  conditional  entropy  of  the  error  or  noise  is  found  to  decrease  with  each  level  of 
redundancy  when  a  near-optimal  FDI  scheme  is  employed.  In  conclusion,  the  optimal  rate 
of  information  transmission  for  the  discrete  FDI  decision  scheme  of  a  redundant  structure 
for  fault-tolerance  is  reached  by  utilizing  a  highly  reliable  control  structure  at  the  greatest 
level  of  redundancy  while  maintaining  near-perfect  FDI  at  all  levels  of  operation.  This 
allows  maximizing  the  information  rate  of  the  FDI  decision  scheme  while  minimizing  the 
error  variance  of  the  controlled  parameter.  Further,  the  average  mission  or  period  of 
working  operation  is  increased. 


Perfect  and  worst  case  fault  detection  are  found  to  provide  the  highest  rate  of 
information  transmission,  while  poor  or  noisy  fault  detection  has  a  zero  transmission  rate. 
The  Bayes  criterion  allows  a  higher  information  rate  than  the  Neyman-Pearson  criterion  due 
to  its  minimization  of  decision  error.  Higher  information  rates  can  be  achieved  with  each 
level  of  redundancy.  Although  duplex  fault  detection  has  a  higher  transmission  rate 
initially,  duplex  tests  are  outperformed  by  simplex  tests  beyond  the  MTBF  due  to  their 
inability  to  distinguish  between  dual  and  single  failures.  Hence,  a  full  FDI  decision  scheme 
is  suggested  for  redundant  structures  which  incorporates  any  quality  simplex  schemes  in 
order  to  improve  fault  tolerance. 

For  a  redundant  structure  without  shutdown  capability,  the  perfect  case  of  errorless 
detection  with  full  FDI  exhibits  a  dramatic  improvement  with  the  level  of  redundancy  in 
terms  of  reduced  error  variance  and  a  longer  period  of  working  operation  due  to  increased 
fault  tolerance.  Single  structure  performance  is  defined  by  HEl  irregardless  of  any 
simplex  tests.  Error  variance  for  a  perfect  redundant  structure  is  initially  lower  due  to  the 
averaging  of  working  controllers  and  is  only  gradually  increased  upon  switching  to 
successive  stages  of  reduced  operation.  The  relative  improvement  of  the  dual  structure 
over  the  single  structure  is  dependent  upon  the  quality  of  the  simplex  test.  However,  a 
triple  redundant  structure  of  near-perfect  triplex  and  duplex  detection  and  poor  simplex 
detection  (e.g.  the  TRS  of  Chapter  4)  shows  immediate  improvement  over  single  structure 
performance.  It  also  found  to  provide  lower  error  entropy  than  both  of  the  examined 
passive  redundancy  techniques,  although  it  does  approach  the  performance  of  a  fault 
masking  scheme  as  the  mission  progresses.  Fault  masking  shows  similar  promise  while 
majority-voting  is  easily  observed  as  undesirable.  Hence,  a  triple  structure  without 
shutdown  capability  can  achieve  significantly  better  performance  than  a  single  or  dual 
structure. 
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For  a  system  with  zero  shutdown  cost  and  high  false  alann  cost,  analysis  of  error 
entropy  allows  determination  of  the  relative  merit  of  redundant  structures.  For  example, 
this  cost  analysis  allows  determination  of  whether  a  fault  detection  scheme  is  acceptable  for 
even  a  single  control  structure  and,  if  so,  when  during  the  mission  it  should  be  utilized. 
The  perfect  case  of  errorless  detection  with  fuU  FDI  exhibits  a  dramatic  improvement  with 
the  level  of  redundancy  in  terms  of  reduced  error  variance  and  a  longer  period  of  working 
operation  due  to  increased  fault  tolerance.  The  general  performance  of  a  redundant 
structure  with  shutdown  is  dependent  upon  the  quality  of  the  tests  and  proper  design  of  the 
decision  scheme.  Results  indicate  the  need  to  switch  the  FDI  decision  scheme  for  different 
stages  of  the  mission  in  all  but  the  most  perfect  case.  It  is  concluded  that  precedence  for  the 
full  FDI  decision  scheme  should  agree  with  the  most  probable  state  for  the  given  mission 
time  (i.e.  assume  the  dominant  prior  when  designing  the  decision  scheme).  If  any  tests 
should  dominate  the  others  in  quality,  then  only  they  should  be  utilized  throughout  the 
mission.  Conversely,  any  tests  of  poor  or  worse  quality  are  generally  not  utilized. 
However,  a  redundant  structure  with  shutdown  capability  must  incorporate  at  least  one 
near-perfect  test  in  order  to  improve  upon  single  structure  performance.  The  passive 
redundancy  techniques  of  fault  masking  and  majority- voting  are  found  to  be  inappropriate 
for  a  system  with  shutdown  capability. 
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APPENDIX  A 


Example  Error  Analysis  of  a  Control  Structure 


System  Element 

Error  (%FS) 

Sensor  linearization 

0.0111 

Cold  junction  compensation 

0.0222 

Input  RC  filter 

0.0001 

Signal  quality 

0.2370 

OP-07  amplifier 

0.0370 

CMOS  multiplexer 

0.0110 

A/D  converter 

0.0066 

Intersample 

0.0319 

Sine 

0.0150 

Aliasing 

0.2205 

Mean  values 

0.0484 

RSS  values 

0.3276 

Existing  measurement  error  bound 

0.3760  %FS 
(6.77  “C) 

Note:  In  addition  to  the  above  repeatability  errors  associated  with  the 
temperature  measurement.  Omega  Engineering  documents  the  limits  of  error 
of  the  Type-C  Hoskins  thermocouple  from  true  temperature. 


Temperature  Range  Limits  of  Error 

0  -  425  “C 


425  -  2320  ‘C 


±  4.5  ‘C  of  true  temperature 
±  1  %  of  the  reading 
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Figure  A.l 

Process  Control  Structure 


Input  Parameters 


Input  Vg  =  0-31  mV  from  0*C  -  1800“C 

Type  C  thermocouple,  Rg  =  100  Q 
Sampled  at  fg  =  3.75  Hz 

dVs  1 


Signal  BW  = 


V  • 

noise 


in 


dt 


7t*  V 


FS 


in 


20“C  0.016  mV 


1 


60  sec 


C  7C  .  31  mV 

=  0.05  Hz 

=  190  mVpp  (67.2  mV^g) 

at  fpoherent  ^  oscillator 


'FS. 


Input  SNR^.Qherent  =  ^V 


m  ^2 


Sensor 


noise 


m 


.  31  mV  ,2 
“  ^67.2  mV  ^ 

=  0.213  numerical 


Linearization  error  = 


0.2°C  rated 
ISOO'CFS 


.  100% 


CJC  error  = 


=  0.0111  %FS 
0.4“  C  rated 


1800“C 


.  100% 


=  0.022  %FS 


(1) 


(2) 


(3) 


(4) 
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Input  RC  Filter 


Filter  error 


1^ 

S  [  1.0  -  A(f)  ]  .  100% 
0 

aoooi  %FS 


(5) 


where  A(f) 


1 


+  (f 


(6) 


and  f_  =  -  =  21.9  Hz.  input  RC  filter  (RC  =  7.27  ms)  (7) 

^  2jtRC 


BASIC  Program  to  Compute  Filter  Error 

100  SUM  =  0 
no  BW  =  0.05 
120  FC  =  21.922 
130  FORI=lTO10 

140  X  =  1  -  (1/(SQR(1+(I*BW/(10*FC))^2))) 

150  SUM  =  SUM  +  X 
160  NEXT  I 

170  SUM  =  (SUM/10)  *  100 

180  PRINT  "Average  Filter  Error  =  ";SUM;"  %FS" 


Output  of  Program 

Average  Filter  Error  =  1.013279E-04  %FS 


Si2nal  Quality 

Rlt«rSNRcoherent 

f 

-  Input  •[!+(£■  )  ] 

0 

/  20  kHz 

-  (0.213)  •  [1  +  (21.9  Hz  ^  ^ 

=  177,644  (1.87  X  10^2  prefiltered) 

Amplitude  Error 

100  % 

•A^SNRcoherent 

=  0.237  %FS  (1  X  10'^  %FS  prefiltered) 

(8) 


(9) 
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Combined  Internal  Noise 


'hi 


rms 


'N. 


(4)  (  ^-38  X  10  (293'K)  (100  Q) 


1.27  nV. 


rms 


VHz 
=  (0.57x10'^) 


"K 


thermal  noise 


p  A/  ^bias 
•  \  0.1%  •  BW 


rms 

VHz 


(0.57xl0-’).(100n)-\^g;f^f^.^ 


V 


3  X  10'^  A  ''rms 


nV. 


=  0.1396  - 


rms 


VHz 


18  nV 


rms 


In  = 


VHz 

0.8pA,^s 


VHi 


Av 


contact  noise 


OP-07  amplifier 


OP-07  amplifier 


Gain-Bandwidth  Product  of  OP-07  amplifier 
Gain  of  OP-07  Amplifier 


where  gain  =  Integrator  period  16.67  ms/RC  product  0.22  ms 
600  kHz 


75.77 


7.92  kHz 


Vn„.  =  f,  +  (V/  +  I„2  .  R/)  fhi 


=  V 


pp 


N. 


rms 


.  6.6  TT^  =  10.57  IIV 


rms 


(10) 


(11) 


(12) 


(13) 


V[(1.27nV)2+(0.139nV)2]-21.9kHz+[(18nV)2-(0.8nV)2]-7.92kHz 
=  1.602  ^iV 


(14) 
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OP-07  Amplifier 


II 

75  nV 

nulled 

dT  •  - 

.  lO'C 

c 

2^iV 

los  •  Rs  = 

(0.8  nA)  .  (100  Q) 

0.08  |iV 

Xn 

PP 

A  X  ^^OUt 

f(V  ■  A, 

dAv  VFSout 

dT  Av 

Combined  Internal  Noise 

y  2.349  V 
(100  ppm)  •  yy 

_ _ _  2.349  V 

(5ppni)  •  (10  C)  •  yy 

10.57  ^iV 

3.1  ^iV 

1.55  ^iV 

Vrss  error  at  input 
Amplifier  error 


^RSS 


Ay 


100% 


11.38  |iV 
0.037  %FS 
2.349  V 


CMOS  Multiplexer  |4.Bit  A/P  Cpnvgrt^r 


Transfer  error 

0.010  % 

Differential  nonlinearity 

j  LSB  0.0030  % 

Crosstalk 

0.001  % 

Quantizing  uncertainty 

^  LSB  0.0030  % 

Leakage 

0.001  % 

Linearity  tempco  •  10  C  0.0020  % 

Multiplexer  error 

0.011  %FS 

A/D  error 

0.0066  %FS 
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Sampling 


Intersample  error 


Sine  error 


Aliasing  error  = 


V2  -  K  •  BW  •  V 


FS 


in 


VB.f^.Vps^ 


100% 


(15) 


out 

V2(7c)  (0.05  Hz)  (31  mV) 
V6  (3.75  Hz)  (2.349  V) 


.  100% 


=  0.0319  %FS 


.  ,7CBW 
sin  (  — r — 
_ ^s 

jcBW 


) 


]  .  100% 


.  ,  7t(0.05  Hz)  ^ 
3.75  Hz 
7c(0.05  Hz) 
3.75  Hz 


100% 


=  0.015  %FS 


(16) 


noise 


in 


TS 


in 


V 


mf  -  f„„u 

_sinc  ( — %  — ■)  •  100  %  (17) 

* 


1  +  (  )2 
X 


where  m  =  5334,  a  multiple  of  the  sampling  frequency 


67.2  mV 
31  mV 


/  20kHz  2 

V  ^21.9Hz^ 


.  ,  20002.5Hz  -  20kHz , 

sine  ( - g  75Hz - ^  100  % 


(2.16)  (0.0011)  (0.928)  (100  %) 

0.2205  %FS  (2  X  10'^  %FS  prefiltered) 
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Appendix  B 

System  Entropy  of  Redundant  Structures 
With  Respect  to  the  Failure  Time  and  Conditional  Error  Functions 

This  exercise  is  presented  as  a  traditional  analysis  of  the  uncertainty  inherent  within 
continuous  distributions.  A  single  and  dual  redundant  control  structure  are  reviewed  with 
respect  to  the  failure  time  and  eonditional  error  functions  for  a  given  mission  length  T.  The 
measure  function  of  Section  5.4  is  included  in  order  to  provide  a  common  basis  for 
uncertainty  comparisons.  It  is  found  that  structure  entropy  is  increased  with  mission  time  T 
and  level  of  redundancy  N.  These  results  are  concerned  with  the  uncertainty  of  the  exact 
time  of  failure  (i.e.  the  failure  time  function),  but  this  is  not  typically  a  decision  that  is 
made.  A  more  relaxed  decision  is  traditionally  made  regarding  structure  (un)reliability  for  a 
given  time  t  of  the  proeess  or  mission.  Section  5.6  provides  a  system  entropy  analysis  for 
these  more  commonly  made  decisions  with  respect  to  the  reliability  distribution. 

A  joint  or  system  entropy  Hsystem(T),  which  represents  all  a  priori  uncertainty 
inherent  within  a  control  structure  for  a  given  mission  time  T,  can  be  formulated  directly 
from  the  entropy  of  the  failure  time  density  function  f(t)  for  the  structure  and  the  mean 
conditional  entropy  of  the  error  function  with  respect  to  the  structure  failure  time  tf  (as  per 
Equation  5.12c). 

HsystemCT)  =  H(£,flT)  =  rt(flT)  +  H(e  lf,T) 

A  common  measure  function  for  the  conditioned  error  and  failure  time  density  functions  of 
the  DDRS  is  needed  to  define  the  zero  position  on  the  entropy  scale  in  order  to  facilitate 
uncertainty  comparisons  and  formulation  of  a  joint  or  system  entropy.  Intrinsically,  zero 
entropy  represents  the  most  certain  or  accurate  distribution.  A  uniform  measure  function 
m(x)  =  1/Ax  with  Ax  arbitrarily  chosen  to  be  0.001  %FS  (representing  an  accuracy  of  ± 
0.0005 %FS)  is  defined  to  be  the  most  certain  or  accurate  distribution.  It  is  standard 
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engineering  practice  that  5  orders  of  magnitude  difference  can  be  considered  relatively 
unmeasurable  or  zero.  Fullscale  value  for  the  failure  time  density  function  shall  be  the 
mission  time  T,  with  a  default  value  of  T  =  <»  unless  otherwise  specified.  The  entropy 
relative  to  this  common  measure  function  is  determined  by  Equation  5.9  for  the  conditioned 
error  and  failure  time  density  functions  is  as  follows; 

Ji(el  Both  Structures  Working)  =  log(  — ey/ltxe  ^ 

0.001%FSy2 

rt(el  Single  Structure  Working)  =  log(  q  qqi^s  ^ 

H(e)  =  H(e\  Neither  Structure  Working)  =  log(  ^ 


H(flT) 


T  r 


X  exp(-  Xt) 
0.00001  *T 


at 


(log(?i)  -  XT  -  1)  exp(-  XT)  +  log( 


) 


All  of  the  above  equations  assume  independence  of  the  two  structures.  Note  that  the 
entropy  is  dimensionless  within  the  logarithm  due  to  the  measure  function.  The  first  two 
equations  are  derived  directly  from  Shannon's  entropy  for  a  Gaussian  distribution 
(Equation  5.3)  with  application  of  the  change  in  error  deviation  for  redundant  structures 
(Equation  3.3).  The  third  equation  assumes  a  uniform  conditioned  error  distribution  over 
all  possible  values  (±  100%FS)  and  is  derived  directly  from  Shannon's  entropy  for 
uniform  distributions  (Equation  5.2).  This  equation  also  represents  the  error  distribution 
entropy  with  no  knowledge  of  the  working  states  of  the  dual  structures.  The  last  equation 
defines  entropy  for  the  failure  time  density  function  (Equation  3.6)  and  the  given  mission 
time  T.  It  is  derived  directly  from  Shannon's  entropy  for  exponential  distributions 
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(Equation  5.4).  As  the  mission  time  approaches  +<»,  rt(f  IT)  =  H(f)  approaches  -o®  (i.e. 
absolute  certainty  in  the  failure  time  relative  to  the  total  mission  time). 


The  mean  conditional  entropy  Jl(e  lf,T)  of  the  error  function  e(x)  (Equation  5.17)  is 
defined  as  the  uncertainty  of  the  error  for  a  given  failure  time  tf  and  averaged  over  the 
mission  time  T  with  respect  to  the  failure  time  function  f(t)  (as  per  Equation  5.15c).  The 
probability  of  the  error  for  a  given  failure  time  can  be  defined  from  the  component 
probabilities  of  the  error  conditioned  upon  the  reliability  R(t)  and  unreliability  Q(t)  of  the 
control  structure.  The  entropy  of  the  error  conditioned  upon  the  reliability  (Structure 
Working)  and  unreliability  (Structure  Not  Working)  was  derived  above. 

J  f  £(xlt,tf)  ^ 

H(el  f,T)  =  -  J  f(t)  J  8(xl  t,tp  log  at 

0  -FS 

8(xl  t,tj )  =  p(e  =  xl  t,tp  =  p(e  =  xl  t  <  tp  p(t  <  tp  +  p(e  =  xl  t  >  tp  p(t  >  tp 
=  Gaussian  (0,0)  x  R3(t)  +  200%FS  ^ 

T  FS 

H(el  f,T)  =  -  J  f(t)  RgCt)  J  Gaussian  (0,a)  log  0x  + 

0  -FS 

FS 

f(t)  Qs(t)  j  200%FS  200%FS  m(x) 

-FS 

T 

H{e\  f,T)  =  I  f(t)  RgCt)  H(el  Structure  Working)  +  f(t)  Q^{i)  H(el  Structure  Not  Working)  dt 
0 

T 

0 

oZr%ls  >  ■  exp(-21t))  3t 

0 
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K(elf,T)  =  ilog(^^)(l-exp(-2XT))  +  12.2  (1  -  expHt)) 


Note  that  the  qjiean  conditional  entropy  is  less  than  the  unconditioned  entropy  for  all  T. 

K(e\  f,T)  <  K(e)  =  12.2 

Similarly,  a  joint  or  system  entropy  Hsystetn(T),  which  represents  all  a  priori 
uncertainty  inherent  within  the  DDRS  for  a  given  mission  time  T,  can  be  formulated 
directly  from  the  entropy  of  the  failure  time  density  functions  fi(t)  and  f2(t)  for  the  two 
redundant  structures  and  the  mean  conditional  entropy  of  the  error  function  with  respect  to 
the  structure  failure  times  tfi  and  tf2.  All  entropy  is  formulated  with  respect  to  an  arbitrary 
measure  function  m(x)  in  order  to  define  a  common  zero  point  on  the  entropy  scale 
(Equation  5.9). 

HsystemCT)  =  H(e,fi,f2lT)  =  H(fi  IT)  +  rt(f2  Ifl.T)  +  H(e  lfi,f2,T) 

The  uncertainty  K(f2  lfi,T)  of  the  failure  time  function  f2(t)  for  the  second  control  structure 
over  a  given  mission  time  T  conditioned  on  the  knowledge  of  the  failure  time  tfi  for  the  first 
structure  is  equivalent  to  the  unconditioned  entropy  of  the  failure  time  since  the 
performance  of  the  two  structures  is  independent. 

K(f^  lfj,T)  =  H(fj  IT)  =  (log(?i)  -XT-1)  exp(-XT)  +  log(  ) 

This  increase  in  system  entropy  is  replicated  (linearly  proportional)  with  each  additional 
level  of  redundancy.  The  mean  conditional  entropy  H(e  lfi,f2,T)  of  the  error  function  e(x) 
is  defined  by  its  component  entropies  which  are  further  conditioned  upon  the  state  of  the 
system:  both  stmctures  working,  single  stmcture  working,  neither  structure  working. 
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jt(ei  fj,f2,T)  =  -J J  f(tj)  f(t2)  J  e(xi  t,tjj,tj2)  log  — ^  ax  at2  at^ 

00  -FS 

£(xl  t,tjj,tf2)  =  p(e  =  xl  t  <  tjj,  t  <  t^)  p(t  <  tjj,  t  <  tj2)  + 

p(e  =  xl  t  <  tjj,  t  ^  tj2)  p(t  <  tfj,  t  ^  t^)  + 

p(e  =  xl  t  ^  tfj,  t  <  tj2)  p(t  ^  t  <  tj2)  + 

p(e  =  xl  t  ^  tjj,  t  ^  tj2)  p(t  ^  tfj,  t  ^  t^) 

£(xl  =  Gaussian  (0,  x  Rg(t)  +  Gaussian  (0,a)  x  2  R^Ct)  Q^Ct)  +  200%]^  ^ 

T  ^ 

TT 

H(elfj,f2,T)  =  Jl  f(tj)  f(t2)  X  [Rg(tj)  R3(t2)  K(el  Both  Structures  Working)  + 

00 

(RjOj)  Q3(t2)  +  QsOp  Structure  Working  + 

Qs(tj)  Q5(t2)  H(el  Neither  Structure  Working)]  0t2  atj 
TT 

H(el  f,4T)  =  JJ  X'  exp(-Xt,)  exp(-Xtj)  x  [Rsft,)  RjCt^)  log  " 

00  •  O 

(R5(tj)  +  R5(t2))  log +  iogo;oor%Fs^  at2  at^ 

H(el  fi,f2,T)  =  5.93  (1  -  exp(-2XT))^  +  log(  )  d  -  exp(-2XT))  (1  -  exp(-?iT)) 

+  12.2  (1  -  exp(-XT)) 


H(elfj,f2,T)  <  H(e)  =  12.2+  5.93  =  18.13 


The  standard  deviation  of  the  example  error  budget  (0.3276%FS,  Figure  2.4)  and  the 
failure  rate  of  the  example  reliability  budget  (0.000142,  Figure  3.7)  are  used  in  producing 
Figures  B.l  -  B.5. 
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Joint  Entropy  for  a  Single  and  Dual  Structure 
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Figure  B.5  Joint  or  System  Entropy 


As  presented  in  Figures  B.l  and  B.4,  entropy  is  increased  for  longer  mission  times 
with  respect  to  the  failure  time  function  and  the  error  function  conditioned  on  the  failure 
time.  This  application  of  entropy  represents  the  uncertainty  of  the  exact  time  of  failure  of 
each  structure  and  of  the  exact  amount  of  error  given  the  failure  time.  The  introduction  of 
the  measure  function  m(x)  (Figure  B.2)  provides  an  exception  for  very  short/long  mission 
times  where  it  is  impossible/easy  to  define  the  exact  failure  time  with  respect  to  the  mission 
time  (Figure  B.3).  Thus,  the  entropy  decreases  with  an  increase  in  mission  time  for  very 
smallAong  mission  times.  However,  the  time  interval  of  interest  is  for  mission  times  about 
the  MTBF  (i.e.  293  days  for  the  example  failure  rate  used). 

As  presented  in  Figures  B.4  -  B.5,  entropy  is  also  increased  for  an  additional  level 
of  redundancy  with  respect  to  the  failure  time  function  and  the  error  function  conditioned 
on  the  failure  time.  This  result  seems  reasonable  since  we  would  expect  additional 
uncertainty  with  each  additional  structure  of  uncertain  reliability.  Due  to  the  independence 
assumption  for  redundant  structures,  this  increase  in  the  failure  time  entropy  is  linearly 
proportional  to  the  level  of  redundancy.  This  increase  in  entropy  is  also  apparent  in  the 
conditional  error  function  (Figure  B.4)  except  in  missions  of  a  short  period  where  the 
reduction  in  error  variance  plays  a  key  role.  Regardless,  the  joint  or  system  entropy  of  the 
control  structure  is  increased  with  redundancy  for  all  mission  times  (Figure  B.5). 

The  key  point  of  this  application  is  the  use  of  the  failure  time  function  as  the  basis 
for  the  system  uncertainty.  However,  the  exact  time  of  a  structure  failure  is  not  typically  a 
decision  made  for  a  given  mission  or  process.  The  more  relaxed  decision  of  structure 
(un)reliability  at  a  given  time  of  the  process  (i.e.  the  possibility  of  a  failure  occurring 
before/after  the  given  time)  is  the  more  conventional  application  of  this  knowledge. 
Section  5.6  provides  a  joint  or  system  entropy  of  the  control  structure  for  a  given  time  t 
based  on  the  binary  (un)reliability  event  set  and  the  continuous  error  function  conditioned 
upon  these  events. 
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Appendix  C 
Matlab  Programs 


%  Calculation  of  Threshold  T  and  probability  of  error  pE 
%  over  time  t  for  DDRS  fault  detection  and  isolation 
%  under  Bayes  and  Neyman-Pearson  criteria 

%  Matlab  program,  Victor  J.  Hunt  (9/91) 

sigma  =  .3276*sqrt(2); 
lamda  =  .000142*24; 
f  =  5*  sigma; 


for  i=l:1600,  t(i)  =  i; 

%Prior;Event  0 

E0(i)  =  exp(-2*lamda*i); 

%Threshold  by  Bayes  criterion 

%T(i)  =  f/2  +  sigma*sigma*log(E0(i)/(l-E0(i)))/f; 

%if  T(i)  <  0,  T(i)  =  0;  end; 

%if  T(i)  >  100,  T(i)  =  100;  end; 

%Threshold  by  NP  criterion 
T(i)  =  3*sigma; 

%Prior:Event  2 

E2(i)  =  (.01*T(i)  -  T(i)'^2/40000)*((l-exp(-l*lamda*i))^2); 
%Conditionals 

pOO(i)  =  erf(T(i)/(sigma*sqrt(2))); 
plO(i)  =  l-pOO(i); 

pOl(i)  =  0.5*(erf((T(i)-f)/(sigma*sqrt(2)))  -  erf(- 

l*(T(i)+f)/(sigma*sqrt(2)))); 

pll(i)  =  l-pOl(i); 

%Prob.of  Error  for  fault  detection 
pEO(i)  =  E0(i)*pl0(i);  %false  alarm 

pE2(i)  =  E2(i)*p00(i);  %missed  detection 

pEl(i)  =  (1-E0(i)-E2(i))*p01(i);  %missed  detection 

pEd(i)  =  pE0(i)+pEl(i)+pE2(i); 


%Prob.of  Error  for  fault  isolation 

%pEi(i)  =  (1  -  .02*T(i)  -  T(i)^2/10000)*((l-exp(-l*lamda*i))^2)*pll(i) 
+  %E2(i)*plO(i)  +  (exp(-l*lamda*i)  -  E0(i))*pll(i); 

%Total  prob.of  error 
%pE(i)  =  pEd^)  +  pEi(i); 

end; 


%  Calculation  of  Threshold  T  and  probability  of  error  pE 
%  over  increasing  f  and  time  t  for  DDRS  fault  detection 
%  under  Bayes  and  Neyman-Pearson  criteria 

%  Matlab  program,  Victor  J.  Hunt  (9/91) 

sigma  =  .3276*sqrt(2); 
lamda  =  .000142*24; 

forj=l:10  %  Ten  different  f  magnitudes 

f  =  0.5*j*sigma; 

%Threshold  &  Conditionals  for  NP  criterion  (constant) 

T  =  3*sigma; 

poo  =  erf(T/(sigma*sqrt(2))); 

pOl  =  0.5*(erf((T-f)/(sigma*sqrt(2)))  -  erf(-l*(T+f)/(sigma*sqrt(2)))); 
plO  =  1  -  pOO; 
pll  =  1  -  pOl; 

fori=l:1600  %  Mission  length  =  1600  days 

%Prior:  Event  0 
EO  =  exp(-2*lamda*i); 

%Threshold  for  Bayes  criterion 

%T(j,i)  =  f/2  +  sigma*sigma*log(E0/(l-E0))/f; 

%ifTai)<  0,Ta,i)=  0;end; 

%if  T(j,i)  >  100,  T(j,i)  =  100;  end; 


E2  =  (.01  *T  -  T^2/40000)*((l-exp(-l*lamda*i))^2); 


%Conditionals  for  Bayes  criterion 
%p00  =  erf(T(j,i)/(sigma*sqrt(2))); 

%p01  =  0.5*(erf((T(j,i)-f)/(sigma*sqrt(2)))  -  %erf(- 
1  *(TG,i)+f)/(sigma*sqrt(2)))); 

%plO  =  1  -  pOO; 

%pll  =  1  -  pOl; 

%Prob.of  Error 

pE(j,i)  =  E0*pl0  +  E2*p00  +  (1-E0-E2)*p01; 

end; 

end; 


%  Calculation  of  two  estimates  (T1,T2)  for  Circular  Threshold  T 
%  and  probability  of  error  pE  over  time  t  for  TRS  fault 
%  detection  under  Bayes  criteria 

%  Matlab  program,  Victor  J.  Hunt  (9/91) 

sigma  =  .3276; 
lamda  =  .000142*24; 
f  =  5*sigma*sqrt(2); 

F  =  f*sqrt(2/3); 

for  i=l:1600,  t(i)  =  i; 

%Prior:Event  0 

EO  =  exp(-3*lamda*i);  r  =  exp(-lamda*i); 

%Two  Threshold  estimates  under  Bayes  criterion 
Tl(i)  =  sqrt(F*F/2  +  sigma*sigma*log(E0/(l-E0))); 

T22  =  F*F/2  +  (sigma*sigma*6/f/f  +  2)*sigma*sigma*log(E0/(l-E0)); 

if  T22  <  0,  T2(i)  =  0; 
else  T2(i)  =  sqrt(T22); 
end; 

%Prior:Event  2 

E21  =  9*Tl(i)^2/80000*(3*r*(l-r)^2); 

E22  =  9*T2(i)'^2/80000*(3*r*(l-r)^2); 


%Prior:Event  3 

E31  =  0.536*Tl(i)*Tl(i)'^2/1000000*((l-r)*(l-r)^2); 
E32  =  0.536*T2(i)*T2(i)'^2/1000000*((l-r)*(l-r)'^2); 


%Conditionals 

plOl(i)  =  exp(-l*Tl(i)'^2/2/sigma/sigma); 

pOll(i)  =  0.5*(erf((Tl(i)-F)/(sigma*sqrt(2)))  -  erf(- 

1  *(T1  (i)+F)/(sigma*sqrt(2)))); 

pl02(i)  =  exp(-l*T2(i)'^2/2/sigma/sigma); 

p012(i)  =  0.5*(erf((T2(i)-F)/(sigma*sqrt(2)))  -  erf(- 

1  ♦(T2(i)+F)/(sigma*sqrt(2)))); 


%Prob.of  Error  for  fault  detection 

pEOl(i)  =  E0*pl01(i); 

pE21(i)  =  E21*(l-pl01(i)); 

pE31(i)  =  E31*(l-pl01(i)); 

pEll(i)  =  (1-E0-E21-E31)*p011(i); 

pEdl(i)  =  pE01(i)+pEll(i)+pE21(i)+pE31(i); 


%false  alarm 
%missed  detection 
%missed  detection 
%missed  detection 


pE02(i)  =  E0*pl02(i); 

pE22(i)  =  E22*(l-pl02(i)); 

pE32(i)  =  E32*(l-pl02(i)); 

pE12(i)  =  (1-E0-E22-E32)*p012(i); 

pEd2(i)  =  pE02(i)+pE12(i)+pE22(i)+pE32(i); 


%false  alarm 
%missed  detection 
%missed  detection 
%missed  detection 


end; 


%  Calculation  of  state  HS,  error  HE,  and  total  system  HT 
%  entropies  over  time  for  single,  dual,  and  triple 
%  redundant  structures  w/o  FDI  or  reconfiguration 

%  Entropy  measure  function  =  Gaussian  Function  of  the 
%  Conditional  Error  for  Operational  TRS 

%  Matlab  program,  Victor  J.  Hunt  (10/91) 


e  =  2.718282; 
sigma  =  .3276; 
lamda  =  .000142*24; 


%Single  structure  error  deviation 
%Single  structure  failure  rate 


%Reliability  and  Unreliability  for  Single  Structure 
r(i)  =  exp(-l*lamda*i);  q(i)  =  l-r(i); 

%  Single  Structure  Entropy 

HSl(i)  =  -l*r(i)*log(r(i))  -  q(i)*log(q(i)); 

HEl(i)  =  r(i)*log(sqrt(3))  + 
q(i)*log(200*sqrt(3/2)/(sigma*sqrt(pi*e))); 

HTl(i)  =  HSl(i)  +  HEl(i); 

%Dual  Structure  Entropy 

HS2(i)  =  -l*r(i)'^2*log(r(i)'^2)  -  2*r(i)*q(i)*log(2*r(i)*q(i))  - 
q(i)A2nog(q(i)^2); 

HE2(i)  =  r(i)A2*log(sqrt(3/2))  + 
2*r(i)*q(i)*log(100*sqrt(3/2)/(sigma*sqrt(pi*e)))  + 
q(i)A2*log(100/(sigma*sqrt(2))); 

HT2(i)  =  HS2(i)  +  HE2(i); 

%Triple  Structure  Entropy 

HS3(i)  =  -l*r(i)''3*log(r(i)^3)  -  3*q(i)*r(i)'^2*log(3*q(i)*r(i)/^2) 
3*r(i)*q(i)''2*log(3*r(i)*q(i)''2)  -  q(i)^3*log(q(i)''3); 

HE3(i)  =  3*q(i)*r(i)^2*log(100*sqrt(2/3)/(sigma*sqrt(pi*e))) 
3*r(i)*q(i)'^2*log(100*sqrt(2)/(3*sigma))  + 
q(i)^3  *log(  1 00/(sigma*sqrt(3))); 

HT3(i)  =  HS3(i)  +  HE3(i); 

%Worst-case  Conditional  Error  Entropy 
HE(i)  =  log(200*sqrt(3/2)/(sigma*sqrt(pi*e))); 

end; 

end; 


%  Calculation  of  error  HE  entropy  over  time  t  for 
%  Single  structure  with  FDI  which  is:  poor, 

%  worst-case,  and  perfect-case 

%  Entropy  measure  function  =  Gaussian  Function  of  the 
%  Conditional  Error  for  Operational  TRS 


%  Matlab  program,  Victor  J.  Hunt  (10/91) 


lamda  =  .000142*24;  %Single  structure  failure  rate 
for  i=l:  1600,  t(i)  =  i; 

%Reliability  and  Unreliability  for  Single  Structure 
r  =  exp(-l*lamda*i);  q  =  1-r; 

%Poor  FDI  case  (pii  =  pij  =  .5) 

HS2p(i)  =  -l*r^2*0.5*log(r^2*0.5)  -  q*r*log(q*r)  -  (r^2*0.5  + 
q*r*0.5)*log(r^2*0.5  +  q*r*0.5)  -  (q^2*0.5  +  q*r*0.5)*log(q^2*0.5 
q*r*0.5)  -  q^2*0.5*log(q^2*0.5); 

%Cond. Error  Entropy 

HE2p(i)  =  r'^2*0.5*log(sqrt(3/2))  + 

q*r*log(100*sqrt(3/2)/(sigma*sqrt(pi*e)))  +  (r^2*0.5  + 

q*r*0.5)*log(sqrt(3))  +  (q^2*0.5  + 

q*r*0.5)*log(200*sqrt(3/2)/(sigma*sqrt(pi*e)))  + 

q'^2*0.5*log(100/(sigma*sqrt(2))); 

%Total  Entropy 

HT2p(i)  =  HS2p(i)  +  HE2p(i); 

%Worst  case  (pii=0,pij=l) 

%HS2wc(i)  =  HS2(i); 

HS2(i)  =  -l*r^2*log(r^2)  -  2*r*q*log(2*r*q)  -  q^2*log(q''2); 
%Cond.Error  Entropy 

HE2wc(i)  =  2*q*r*log(100*sqrt(3/2)/(sigma*sqrt(pi*e)))  + 

r'^2*log(sqrt(3))  +  q''2*log(100/(sigma*sqrt(2))); 

%Total  Entropy 

HT2wc(i)  =  HS2(i)  +  HE2wc(i); 

%Perfect  case 
%HS2pc(i)  =  HS2(i); 

%Cond.Error  Entropy 

HE2pc(i)  =  rA2*log(sqrt(3/2))  +  2*q*r*log(sqrt(3))  + 
qA2*log(100/(sigma*sqrt(2))); 


%Total  Entropy 

HT2pc(i)  =  HS2(i)  +  HE2pc(i); 

end; 


%  Calculation  of  error  HE  entropy  over  time  t  for 
%  Single  structure  with  possible  shutdown  and 
%  with  FDI  which  is;  poor,  worst-case,  and 

%  perfect-case 

%  Entropy  measure  function  =  Gaussian  Function  of  the 
%  Conditional  Error  for  Operational  TRS 

%  Matlab  program,  Victor  J.  Hunt  (10/91) 

lamda  =  .000142*24;  %Single  structure  failure  rate 

for  i=l:1600,  t(i)  =  i; 

%Reliability  and  Unreliability  for  Single  Structure 
r  =  exp(-l*lamda*i);  q  =  l-r; 

%Poor  FDI  case  (pii  =  pij  =  .5) 

HElp(i)  =  0.5*r*0.55  +  0.5*q*5.54; 

%  Worst  case  (pii=0,pij=l) 

HElwc(i)  =  q*5.54; 

%Perfect  FDI 
HElpc(i)  =  r*0.55; 

end; 


%  Calculation  of  error  HE  entropy  over  time  t  for 
%  Single  structure  with  possible  shutdown, 

%  false  alarm  cost  =  missed  detection  cost, 

%  and  with  FDI  which  is:  poor,  worst-case, 

%  and  perfect-case 


%  Entropy  measure  function  =  Gaussian  Function  of  the 
%  Conditional  Error  for  Operational  TRS 


%  Matlab  program,  Victor  J.  Hunt  (10/91) 

lamda  =  .000142*24;  %Single  structure  failure  rate 

for  i=l:1600,  t(i)  =  i; 

%Reliability  and  Unreliability  for  Single  Structure 
r  =  exp(-l*lamda*i);  q  =  1-r; 

%Poor  FDI  case  (pii  =  pij  =  .5) 

HElp2(i)  =  0.5*r*6.09  +  0.5*q*5.54; 

%Worst  case  (pii=0,pij=l) 

HElwc2(i)  =  5.54; 

%Perfect  FDI 
HElpc2(i)  =  r*0.55; 

end; 


%  Calculation  of  state  HS,  error  HE,  and  total  system  HT 
%  entropies  over  time  t  for  Dual  structure  (DDRS) 

%  with  FDI  under  Bayes  and  Neyman-Pearson  criteria 

%  Entropy  measure  function  =  Gaussian  Function  of  the 
%  Conditional  Error  for  Operational  TRS 

%  Matlab  program,  Victor  J.  Hunt  (10/91) 

e  =  2.718282; 
sigma  =  .3276; 
lamda  =  .000142*24; 
f  =  5*sigma*sqrt(2); 

for  i=l:1600,  t(i)  =  i; 

%Priors 

r  =  exp(-l*lamda*i);  q  =  1-r; 


%Single  structure  error  deviation 
%Single  structure  failure  rate 


%Event  0 

EO  =  exp(-2*lamda*t(i)); 

%Threshold  by  Bayes 

T  =  f/2  +  sigma*sigma*2*log(r^2/(l-r'^2))/f; 

%ifT<  0,  T=  0;end; 

%if  T  >  100,  T  =  100;  end; 

%Threshold  by  Neyman-Pearson 
%T  =  3*sigma*sqrt(2); 

%Priors:  Dual  Faults 

dl  =  qA2*(.01*T  -  7^2/40000); 

d2  =  qA2*(l-(.01*T  -  7^2/40000)); 

%Conditionals 

pOO  =  erf(7/(sigma*2)); 

plO  =  1-pOO; 

pOl  =  0.5*(erf((7-f)/(sigma*2))  -  erf(-l*(7+f)/(sigma*2))); 
pll  =  1-pOl; 

%Dual  Structure  Entropy  with  EDI  &  restructure  to  Single  Structure 
%Channel  Outcome  Entropy 

HY2b(i)  =  -l*(r^2*p00  +  2*r*q*p01  +  dl*p00  +  d2*p01)*log(rA2*p00 
2*r*q*p01  +  dl*p00  +  d2*p01)  -  (r^2*pl0  +  2*r*q*pll  +  dl*pl0  + 
d2*pll)*log(r^2*pl0  +  2*r*q*pll  +  dl*plO  +  d2*pll); 

%Cond.  Channel  Entropy 

HC2b(i)  =  -I*r^2*(p00*log(p00)  +  plO*log(plO))  - 
2*q*r*(p01*log(p01)  +  pll*log(pll))  -  dl*(p00*log(p00)  + 
plO*log(plO))  -  d2*(pll*log(pll)  +  p01*log(p01)); 

%7otal  Rate 

R72b(i)  =  HY2b(i)  -  HC2b(i); 

%State  Entropy 

HS2b(i)  =  -I*r^2*p00*log(r^2*p00)  -  2*q*r*p01*log(2*q*r*p01)  - 
(r^2*pl0  +  q*r*pll)*log(rA2*plO  +  q*r*pll)  -  (dl*pl0  +  d2*pll  + 
q*r*pll)*log(dl*pl0  +  d2*pll  +  q*r*pll)  -  (dl*p00  + 
d2*p01)*log(dl*p00  +  d2*p01); 


%Cond.Error  Entropy 

HE2b(i)  =  r^2*p00*0.2  +  2*q*r*p01*4.85  +  (r'^2*pl0  +  q*r*pll)*0.55 
(dl*plO  +  d2*pll  +  q*r*pll)*5.54  +  (dl*p00  +  d2*p01)*5.37; 

%Total  Entropy 

HT2b(i)  =  HS2b(i)  +  HE2b(i); 


end; 


%  Calculation  of  state  HS,  error  HE,  and  total  system  HT 
%  entropies  over  time  t  for  Dual  structure  (DDRS) 

%  with  FDI  which  is:  poor,  worst,  and  perfect-case 

%  Entropy  measure  function  =  Gaussian  Function  of  the 
%  Conditional  Error  for  Operational  TRS 

%  Matlab  program,  Victor  J.  Hunt  (10/91) 

e  =  2.718282; 

sigma  =  .3276;  %Single  structure  error  deviation 

lamda  =  .000142*24;  %Single  structure  failure  rate 

for  i=l:1600,  t(i)  =  i; 

%Reliability  and  Unreliability  for  Single  Structure 
r  =  exp(-l*lamda*i);  q  =  1-r; 

%Poor  FDI  case  (pii  =  pij  =  .5) 

%Outcome  Entropy 
HY2p(i)  =  log(2); 

%Cond.  Entropy 
HC2p(i)  =  log(2); 

%State  Entropy 

HS2p(i)  =  -0.5*r'^2*log(0.5*r^2)  -  r*q*log(r*q)  -  0.5*q^2*log(0.5*q^2) 
0.5*(r^2  +  r*q)*log(0.5*(r''2  +  r*q))  -  0.5*(q^2  -i-  r*q)*log(0.5*(q''2  -h 
r*q)); 

%Cond.Error  Entropy 

HE2p(i)  =  r^2*0.1  +  r*q*4.85  +  q'^2*2.685  +  (r/^2  +  r*q)*0.275  +  (q'^2  + 
r*q)*2.77; 

%Total  Entropy 

HT2p(i)  =  HS2p(i)  +  HE2p(i); 


%Worst  case  (pii=0,pij=l) 

%Outcome  Entropy 

HY2wc(i)  =  -l*r^2*log(r^2)  -  (2*r*q  +  q'^2)*log(2*r*q  +  q^2); 

%State  Entropy 

HS2wc(i)  =  -l*r'^2*log(r^2)  -  2*r*q*log(2*r*q)  -  q/'2*log(q'^2); 
%Cond.Error  Entropy 

HE2wc(i)  =  r'^2*0.55  +  2*r*q*4.85  +  q^2*5.37; 

%Total  Entropy 

HT2wc(i)  =  HS2wc(i)  +  HE2wc(i); 

%Perfect  EDI 
%State  Entropy 

HS2pc(i)  =  -l*r^2*log(r''2)  -  r*q*log(r*q)  -  (r*q  +  q'^2)*log(r*q  +  q^2); 
%Cond.Error  Entropy 

HE2pc(i)  =  r^2*0.2  +  r*q*0.55  +  (r*q  +  q^2)*5.54; 

%Total  Entropy 

HT2pc(i)  =  HS2pc(i)  +  HE2pc(i); 
end; 


%  Calculation  of  information  rate  RT  and  error  entropy  HE 
%  over  time  t  for  Dual  structure  (DDRS)  with  Full  FDI 
%  which  is:  poor,  worst,  perfect,  and  perfect/poor 

%  Entropy  measure  function  =  Gaussian  Function  of  the 
%  Conditional  Error  for  Operational  TRS 

%  Matlab  program,  Victor  J.  Hunt  (10/91) 

e  =  2.718282; 

sigma  =  .3276;  %Single  structure  error  deviation 

lamda  =  .000142*24;  %Single  structure  failure  rate 

for  i=l:1600,  t(i)  =  i; 

%Reliability  and  Unreliability  for  Single  Structure 
r  =  exp(-l*lamda*i);  q  =  1-r; 


%Poor  FDI  case  (pii  =  pij  =  .5) 

%Cond.Error  Entropy 

HE2Flp(i)  =  1^2*0.025  +  r*q*l-213  +  q^2*0.671  +  (r^2  +  r*q)*0.481 
(q^2  +  r*q)*4.85; 

%  Worst  case  (pii=0,pij=l) 

%Cond.Error  Entropy 

HE2Flwc(i)  =  r'^2*0.55  +  2*r*q*5.54  +  q'^2*5.37; 

%Perfect  FDI 
%Cond.Error  Entropy 

HE2Flpc(i)  =  rA2*0.2  +  2*r*q*0.55  +  q'^2*5.54; 

%Perfect  Duplex,  Poor  Simplex 
%Cond.Error  Entropy 

HE2Flpcp(i)  =  r'^2*0.05  +  (r*2*0.75  +  r*q)*0.55  +  (q''2  +  r*q)*5.54; 

%Poor  Duplex,  Perfect  Simplex 
%Rate 

RT2F2ppc(i)  =  -l*(l-q^2)*0.5*log(l-q^2)  -  q'^2*0.5*log(q^2); 
RT2Flppc(i)  =  -l*r'^2*0.5*log(r^2)  -  (2*r*q  +  r^2*0.5)*log(2*r*q  + 
r^2*0.5)  -  q^2*log(q^2); 

%Cond. Error  Entropy 

HE2F2ppc(i)  =  r^2*0.1  +  r*q*4.85  +  q^2*2.685  +  (r^2  +  2*r*q)*0.275 
qA2*2.77; 

HE2Flppc(i)  =  r'^2*0.1  +  (r*2*0.5  +  2*r*q)*0.55  +  q^2*5.54; 
end; 


%  Calculation  of  error  entropy  HE  over  time  t  for  Dual 
%  structure  (DDRS)  with  Shutdown  and  with  Full  FDI 
%  which  is:  poor,  worst,  perfect,  and  perfect/poor 

%  Entropy  measure  function  =  Gaussian  Function  of  the 
%  Conditional  Error  for  Operational  TRS 

%  Matlab  program,  Victor  J.  Hunt  (10/91) 

e  =  2.718282; 

sigma  =  .3276;  %Single  structure  error  deviation 

lamda  =  .000142*24;  %Single  structure  failure  rate 


%Reliability  and  Unreliability  for  Single  Structure 
r  =  exp(-l*lamda*i);  q  =  1-r; 


%Poor  FDI  case  (pii  =  pij  =  .5) 

%Cond. Error  Entropy 

HE2F0p(i)  =  r'^2*0.2/8  +  r*q*4.85/4  +  qA2*5.37/8  +  (r^2*3/4  + 
r*q*ll/16)*0.55  +  (q'^2*6/8  +  r*q*17/16  +  r^2/8)*5.54; 

HE2Flp(i)  =  r'^2*0.2/8  +  r*q*4.85/4  +  q^2*5.37/8  +  (r^2  + 
r*q)*0.55*5/8  +  (q^2*5  +  r*q*9  +  r^2*2)*5.54/8; 

HE2F2p(i)  =  r^2*0.2/2  +  r*q*4.85  +  q^2*5.37/2  +  +  r*q)*0.55*3/8 

(q'^2*3  +  r*q*5  +  r'^2)*5.54/8; 

HE2F3p(i)  =  (2*r*q  +  r^2)*5.54; 

%  Worst  case  (pii=0,pij=l) 

%Cond.Error  Entropy 

HE2Flwc(i)  =  (r'^2  +  2*r*q)*5.54  +  q'^2*5.37; 

HE2F2wc(i)  =  r'^2*5.54  +  2*r*q*4.85  +  q^2*5.37; 

%Perfect  FDI 

%Cond.Error  Entropy 

HE2Flpc(i)  =  r'^2*0.2  +  2*r*q*0.55; 

%Perfect  Duplex,  Poor  Simplex 
%Cond.Error  Entropy 

HE2Flpcp(i)  =  r'^2*0.2/4  +  (r^2*2  +  r*q*3)*0.55/4  +  (q^2*3  +  r*q*5 
+r'^2)*5.54/4; 

HE2F2pcp(i)  =  r'^2*0.2  +  r*q*6*0.55/8  +  (q^2*3  +  r*q*5)*5.54/4; 
HE2F3pcp(i)  =  r^2*0.2  +  2*r*q*5.54; 

%Poor  Duplex,  Perfect  Simplex 
%Cond.Error  Entropy 

HE2Flppc(i)  =  r^2*0.1  +  (r^2*0.5  +  2*r*q)*0.55; 

HE2F2ppc(i)  =  r^2*0.1  +  r*q*4.85  +  q'^2*5.37/2  +  (r'^2  +  2*r*q)*0.55/2; 
end; 


%  Calculation  of  error  entropy  HE  and  total  system  rate  RT 
%  over  time  t  for  Triple  Redundant  Structure  (TRS)  with 
%  masking,  averaging,  and  ideal  FDI 


%  Entropy  measure  function  =  Gaussian  Function  of  the 
%  Conditional  Error  for  Operational  TRS 


%  Matlab  program,  Victor  J.  Hunt  (10/91) 

lamda  =  .000f42*24;  %Single  structure  failure  rate 

for  i=l:1600,  t(i)  =  i; 

%Priors 

r  =  exp(-l*lamda*i);  q  =  1-r; 

%  Voting  or  Averaging  Scheme  (no  decisions  made) 

%Cond.Error  Entropy 

HE3v(i)  =  3*q*r^2*4.45  +  3*r*q^2*4.97  +  q^3*5.17; 

%Fault  Masking  Scheme  (no  decisions  made) 

%Cond.Error  Entropy 

HE3m(i)  =  (r'^3  +  3*q*r^2  +  r*q'^2)*0.55  +  (2*r*q^2  +  q^3)*5.54; 

%Perfect  TRS,  Poor  Simplex 
%Information  Rate 

RT3pcp(i)  =  -l*r'^3*log(r^3)  -  3*q*r'^2*log(3*q*r^2)  -  (3*r*q^2  + 
q'^3)*log(3*r*q^2  +  q^3); 

%Cond.Error  Entropy 

HE3pcp(i)  =  3*q*r^2*0.2  +  r*q''2*0.55  +  (2*r*q^2  +  q^3)*5.54; 

%Cond.Error  Entropy  with  No  Cost  for  Shutdown 

HE3pcp2(i)  =  3*q*r^2*0.2  +  r*q'^2*0.413  +  (9*r*q^2  +  3*q^3)*1.39; 

%Perfect  Full  FDI 
%Information  Rate 
%RT3pc(i)  =  HS3(i); 

%Cond.Error  Entropy 

HE3pc(i)  =  3*q*r'^2*0.20  +  3*r*q^2*0.55  +  q'^3*5.54; 

%Cond.Error  Entropy  with  No  Cost  for  Shutdown 
HE3pc2(i)  =  3*q*r^2*0.20  +  3*r*q^2*0.55; 

%Perfect  TRS,  No  Simplex 

%Cond.Error  Entropy  with  No  Cost  for  Shutdown 
HE3NS(i)  =  3*q*r^2*0.20  +  3*r*q^2*5.54; 


